Periodically, I encounter login failure messages for various users attempting to access my Mikrotik devices (router and access points) via ssh, ftp, and telnet. I have configured logging of these ports and can see connection details from hosts on the local network. Brute-force attacks seem to come from different Windows hosts every time, sometimes even at night when no one is present. I have scanned the last two hosts with multiple antivirus tools, but nothing dangerous was found. Could the malicious code be using address spoofing? How can I identify any potential malware?

Did you verify also the "trusted" applications? AWG antivirus is known to have a "feature" to detect vulnerable devices on LAN so that it can alert user about them. The feature is a recent addition and user is not prompted to enable it.

The first and most obvious thing to note - you have administrative ports open to untrusted networks. This is not good.