Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Mirai

Also known asMirai

Mirai is an Internet-of-Things botnet malware family best known for compromising insecure IoT devices and using them to conduct large-scale distributed denial-of-service attacks. The provided content states that Mirai was used in major DDoS attacks, including a 620 Gbps attack against KrebsOnSecurity, and that its source code was apparently released on GitHub by the actor "Anna-senpai," lowering the barrier to entry for follow-on variants and operators. Mirai is described as compact C malware targeting IP cameras and other Internet-connected devices, attempting compromise via hardcoded root passwords, infecting devices, and directing them to send traffic to preset targets. The content notes claims that the botnet previously controlled up to 380,000 bots via Telnet, later declining after ISP remediation efforts. The content also shows Mirai as an active and persistent botnet ecosystem rather than a single static malware sample. Cisco Talos observed Mirai exploiting Log4j, and Trend Micro’s Zero Day Initiative reported Mirai-associated threat actors exploiting CVE-2023-1389 in TP-Link Archer AX-21 routers since April 11, 2023. Akamai reported active exploitation of CVE-2025-29635, a command injection flaw in discontinued D-Link DIR-823X routers, to deploy a Mirai variant named "tuxnokill," fetched from 88.214.20[.]14 and communicating with command-and-control server 64.89.161[.]130:44300. The same actor was also reported exploiting CVE-2023-1389 and a remote code execution flaw in ZTE ZXV10 H108L routers. The content further notes that Mirai variants have targeted game servers using Valve Source Engine-related attack modules and that Mirai botnet variants have historically abused ports 27015 and 27016. Across the supplied reporting, Mirai is repeatedly associated with exploitation of publicly known vulnerabilities in exposed edge devices and with broad botnet activity against routinely exploited vulnerabilities. CISA-related reporting cited Mirai as the most active botnet among those exploiting top routinely exploited vulnerabilities in 2022, and Log4Shell was identified as the most commonly used vulnerability by tracked botnets including Mirai. No nation-state attribution is established in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics17 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078
Valid Accounts
T1078.001×2
Default Accounts
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
TA0003
Persistence
1 technique
T1078
Valid Accounts
T1078.001×2
Default Accounts
TA0004
Privilege Escalation
2 techniques
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1078.001×2
Default Accounts
TA0005
Stealth
2 techniques
T1078
Valid Accounts
T1078.001×2
Default Accounts
T1620
Reflective Code Loading
TA0006
Credential Access
1 technique
T1110
Brute Force
TA0007
Discovery
2 techniques
T1046×2
Network Service Discovery
T1082
System Information Discovery
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1105
Ingress Tool Transfer
TA0040
Impact
1 technique
T1498×3
Network Denial of Service
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
security affairsNews
Apr 22, 2026
Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers

Botnet activity exploiting vulnerable legacy routers to deploy Mirai variants and compromise devices for botnet operations.

Read more
breakglass intelNews
Apr 17, 2026
BORZ C2 Panel - Dual-Process Loader with Iranian Missile Theme, Chechen Branding, and Russian Infrastructure - Breakglass Intelligence - Breakglass Intelligence

Referenced as a botnet family/operator contextually associated with targeting game servers and abusing Valve Source Engine infrastructure.

Read more
vulncheck blogNews
Aug 9, 2023
Insight into the 2022 Top Routinely Exploited Vulnerabilities

Mirai is a botnet that exploited several of the top twelve most exploited vulnerabilities in 2022, primarily for DDoS attacks and botnet propagation.

Read more
rhyno io blogNews
May 10, 2023
TP-Link Vulnerabilities Are Being Actively Exploited

Mirai-associated actors are exploiting CVE-2023-1389 (TP-Link Archer AX-21 command injection) to remotely execute malware; the content also notes many KEV-missing vulnerabilities are tied to Mirai-like botnet exploitation.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping11

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.