Sora is a Mirai-derived IoT/Linux botnet malware family. Reporting describes it as a Mirai strain first observed at the start of the year in earlier coverage, with naming on MalwareBazaar traced back to at least August 2024. Sora retains Mirai’s core botnet and DDoS-for-hire functionality, including decoded command support for floods such as UDP, SYN, ACK, and GRE, along with scanner configuration, credential brute-force lists, and self-propagation logic.
Sora has been associated with broad multi-architecture targeting of Linux and embedded devices. Researchers reported variants compiled to run across many CPU architectures, and newer samples were said to execute on Android and Debian as well. One infection routine attempted SSH password guessing and then downloaded multiple platform-specific Sora binaries until one matched the victim device. A March 2026 campaign used a Mirai-variant dropper script, ohshit.sh, to fetch architecture-specific payloads from 45[.]141[.]26[.]73/bins/sora.* using wget and curl, rename the payload to "Chaotic," mark it executable, and run it. The exposed server hosted 14 UPX-packed ELF binaries targeting 15 architectures, with the dropper attempting execution from locations including /tmp, /var/run, /mnt, /root, or /.
Sora is linked in reporting to the actor or developer pseudonym "Wicked." FortiGuard assessed that Wicked, Sora, Owari, and Omni were likely created by the same author, and that the WICKED loader malware was originally meant to deliver Sora before being repurposed to support later projects including Owari and Omni. Separate reporting stated that the original Sora author known as Wicked later shifted development to Owari and described Sora as abandoned, although other actors appear to have continued improving the codebase.
Detection and naming overlap with other Mirai/Gafgyt-derived activity. Fortinet stated that related malware was detected as ELF/Gafgyt.SORA!tr, ELF/Gafgyt.C0MOX!tr, ELF/Mirai.EGX!tr, and Python/Gafgyt.C0MOX!tr. Reporting also noted that competing malware families explicitly hunt for and kill processes linked to the Sora botnet family, indicating Sora’s presence in the Linux/IoT botnet ecosystem.
High-confidence indicators mentioned in the content include the dropper ohshit.sh; distribution infrastructure at 45[.]141[.]26[.]73; URLs hxxp://45[.]141[.]26[.]73/ohshit[.]sh and hxxp://45[.]141[.]26[.]73/bins/sora.*; the process masquerade name "Chaotic" used in one 2026 campaign; and the string "SoraLOADER" referenced in analysis of the WICKED propagation component.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
13 distinct techniques documented for this family, organized by ATT&CK tactic.
UPX 3.94 packed, statically linked, section headers stripped -- standard Mirai anti-analysis
AI generated content and videos that had to do with protests... protests that didn't happen or that were not real content of existing protests... coverage of current events need to be authentic in that sense.
cat sora.< arch > >Chaotic; chmod +x *; ./Chaotic ... MITRE ATT&CK Technique ID ... Masquerading T1036.003 Binary renamed to "Chaotic"
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced only as a FortiGuard detection name for a Gafgyt-related sample; no additional details are provided in the content.
A botnet family referenced as a competing malware process that CondiBot attempts to kill on infected machines.
Sora is described as a Mirai-variant botnet payload distributed by the ohshit.sh shell dropper. It targets a wide range of Linux/IoT CPU architectures, downloads and executes architecture-specific ELF binaries, uses UPX packing and stripped sections for anti-analysis, and retains Mirai-style DDoS, scanning, credential brute-force, and self-propagation capabilities. The binaries are renamed and executed as "Chaotic."
Sora is a Mirai strain whose newer variants were improved to run across many architectures using Aboriginal Linux-built binaries, including successful execution on Android and Debian, and spread by guessing SSH passwords and trying multiple binaries until one matches the victim platform.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.