v3g4

Also known asV3G4

V3G4 is a Mirai-based botnet variant observed as of November 2025. It is notable for leveraging 13 different CVEs for Linux-based propagation and for brute-forcing SSH credentials. V3G4 is part of the broader Mirai ecosystem, which has evolved to target not only consumer IoT devices but also industrial controllers and supply chain devices. The variant is associated with high-volume DDoS attacks and is one of several Mirai derivatives (including Jackskid, ShadowV2, and Murdoc) that have contributed to a significant resurgence in Mirai botnet activity. V3G4's infection vectors include unpatched firmware, weak credentials, and exploitation of known vulnerabilities. There is no direct evidence in the provided content linking V3G4 to nation-state actors, but other Mirai variants have been used by such actors. V3G4's activity is part of a rapidly evolving threat landscape, with a focus on maximizing infection rates and leveraging compromised devices for DDoS and potentially other monetization schemes.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

foresiet blogNews

Dec 9, 2025

The Resurgence of Mirai: Jackskid Botnet and Escalating IoT Threats in November 2025

V3G4 is a Mirai variant known for chaining multiple CVEs and brute-forcing SSH credentials to propagate across Linux-based IoT devices. It has been responsible for a resurgence in botnet activity, adding thousands of new bots in November 2025.

foresiet blogNews

Dec 9, 2025

The Resurgence of Mirai: Jackskid Botnet and Escalating IoT Threats in November 2025

V3G4 is a Mirai variant known for chaining multiple CVEs and brute-forcing SSH credentials to propagate across Linux-based IoT devices, resulting in rapid botnet expansion and DDoS capabilities.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.