Mirai
Mirai is a Linux/IoT botnet malware family best known for infecting Internet of Things devices by abusing default or weak credentials, especially on internet-exposed devices such as IP cameras, DVRs, routers, and similar embedded systems. The content states that Mirai operators scanned the internet for vulnerable IoT devices and compromised them at scale by logging in with factory credentials that had never been changed. Infected devices are controlled through command-and-control infrastructure and used primarily to launch distributed denial-of-service attacks; the 2016 Mirai botnet is specifically cited as causing a massive East Coast internet outage and as an example of terabit-scale attacks against global infrastructure. The October 2016 Dyn attack is referenced as disrupting major online services and infrastructure for hours.
The content also shows that Mirai remains highly active through many variants and derivative botnets. Mirai variants are described as still circulating nearly a decade later, with original source code continuing to be reused by multiple threat actors. Mirai-derived or Mirai-like malware mentioned in the content includes LiquorBot, Aquabot, Nosedive, Sora, Satori/Okiru, and other unnamed variants. Reported capabilities and behaviors across these references include multi-architecture Linux payloads, scanning, exploitation of known vulnerabilities, brute-force access via Telnet or SSH, command-and-control operation, and DDoS functionality. One Mirai variant was observed exploiting Log4j, others exploited CVE-2022-22954, CVE-2023-1389 on TP-Link Archer AX21 routers, GPON flaws CVE-2018-10561 and CVE-2018-10562, Apache Struts CVE-2017-5638, and enterprise or appliance vulnerabilities alongside more traditional IoT targets. A Mirai-derived campaign is also described as combining DDoS botnet capability with a stealthy fileless cryptominer.
The malware targets Linux-based and embedded devices broadly, with references to routers, cameras, DVRs, NVRs, Android-based devices exposed via ADB, and enterprise-facing appliances or software in some variants. The content further notes active exploitation delivering Mirai variants via hosting-stack and cPanel-related flaws, including CVE-2026-48172 in the LiteSpeed User-End cPanel Plugin and references to CVE-2026-41940 being weaponized to drop Mirai and ransomware at scale. Mirai infrastructure and activity are also referenced in conflict-related DDoS operations against Ukrainian and Russian targets.
High-confidence indicators and technical references directly mentioned in the content include Fortinet detections such as ELF/Mirai.EGX!tr and Linux/Mirai.Y!tr.bdr; Mirai C2 or related infrastructure including 5.182.211.5, 209.141.33.208, l[.]ocalhost[.]host:47883, linuxuclib.com:8080, jbeupq84v7.2y.net, and multiple 185.10.68.0/24 addresses; and the Mirai encryption key 0xdeadf00d noted in one variant. Overall, the content consistently characterizes Mirai as the canonical IoT botnet malware family whose leaked codebase enabled a long tail of variants used by diverse actors for large-scale DDoS and related malicious operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
33 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
https://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet | LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw is a maximum-severity privilege escalation vulnerability (CVSS v4.0: 10.0) residing in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4... Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.” | Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.”
Itai Goldman, co-founder and CTO at Miggo Security, added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack. | Krell added that CVE-2026-41940 compromised approximately 44,000 cPanel servers less than a month ago. Itai Goldman added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack.
The primary vulnerability at the center of the event and this review (CVE-2021-44228) will be known as the Log4j vulnerability... Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0. | Cisco Talos observed the Internet-of-Things botnet known as Mirai exploiting Log4j;
We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware. | CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Instead, they were either non-specific Mirai variants or contained previously known exploits such as CVE-2017-17215. | We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware.
Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. | The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025. Palo Alto Networks telemetry detected large-scale exploitation attempts at the time.
Following that, cybersecurity teams warned about multiple botnets, including three Mirai variants ... that targeted unpatched devices. | Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017. | CVE-2017-6884 Zyxel routers GET /cgi-bin/luci/... nslookup ? ...
This led to their participation in a Thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016. | The Janit0r took it upon himself to destroy IoT devices so they couldn’t become infected by Mirai, starting with the “colossally dangerous CVE-2016-10372 situation.” The situation referenced was considered dangerous because it allowed attackers to send remote commands to affected devices from anywhere on the Internet (WAN port) and then reconfigure the devices to allow further remote access.
The exploit targeting Apache Struts in the new variant we found targets CVE-2017-5638, an arbitrary command execution vulnerability via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. | Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017. | CVE-2018-10561, CVE-2018-10562 Dasan GPON routers Similar to previous campaigns.
Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device. | Mirai Botnet (new variants) — GPON exploit has also been integrated into a few new variants (operated by different hacking groups) of the infamous Mirai IoT botnet, which was first emerged and open-sourced in 2016 after it was used to launch record-breaking DDoS attacks.
Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635, a command-injection vulnerability in legacy D-Link DIR-823X routers, to recruit internet-exposed devices into a distributed denial-of-service (DDoS) botnet. | Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635... Attackers deploy a Mirai malware variant known as “tuxnokill,” which establishes command-and-control (C2) communication, spreads to additional vulnerable IoT devices, and prepares infected systems for large-scale DDoS operations.
The first major wave of such activity was exemplified by the Mirai botnet, which demonstrated how trivial authentication weaknesses could generate terabit-scale attacks targeting global infrastructure.
The first major wave of such activity was exemplified by the Mirai botnet, which demonstrated how trivial authentication weaknesses could generate terabit-scale attacks targeting global infrastructure.
CVE-2022-36553: A command injection vulnerability in the popen.cgi component of Hytec Inter HWL-2511-SS devices allows an authenticated attacker to execute arbitrary commands.
CVE-2025-9528: A vulnerability in the Linksys E1700 router's systemCommand function allows an authenticated remote attacker to perform OS command injection.
CVE-2024-3721: A critical command injection vulnerability in certain TBK DVR models allows an unauthenticated remote attacker to execute arbitrary commands via crafted HTTP requests.
CVE-2025-4008: A command injection vulnerability in the web interface of Meteobridge allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
CVE-2025-34043: A remote command injection vulnerability in Vacron Network Video Recorder (NVR) devices allows unauthenticated attackers to execute arbitrary commands on the operating system.
CVE-2014-3206: Seagate BlackArmor NAS products are vulnerable to remote command execution via the session and auth_name parameters in certain web endpoints.
CVE-2020-10987: The setUsbUnload endpoint in Tenda AC15 and AC1900 routers contains a command injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary system commands.
CVE-2020-9054: A command injection vulnerability in the weblogin.cgi component of multiple Zyxel NAS products allows an unauthenticated remote attacker to execute arbitrary OS commands.
CVE-2024-10914: An unauthenticated remote command injection vulnerability in legacy D-Link NAS devices, particularly in the account_mgr.cgi script, allows an attacker to execute arbitrary shell commands.
CVE-2023-41011: A command execution vulnerability in the shortcut_telnet.cg component of the China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code.
CVE-2013-1599: A command injection vulnerability in the rtpd.cgi component of D-Link IP Cameras allows an unauthenticated remote attacker to execute arbitrary commands via a crafted query string.
CVE-2023-23333: A command injection vulnerability in downloader.php within SolarView Compact devices allows an unauthenticated remote attacker to execute arbitrary commands.
CVE-2022-40619: A firewall authentication bypass vulnerability affects FortiGate, FortiProxy, and FortiSwitchManager, allowing an attacker to perform operations on the administrative interface.
the first exploit used by Okiru is linked to the CVE-2014-8361... Devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection attacks in the UPnP SOAP interface.
Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.
Researchers at VulnCheck flagged in-the-wild exploitation of CVE-2018-5999, a critical flaw carrying a 9.8 CVSS score, to the RondoDox botnet... VulnCheck began observing exploitation of the Asus vulnerability on May 17. 'Public exploits have been available since 2018,' ... 'But until now, we hadn't seen the vulnerability exploited in the wild.'
CVE-2024-41710 is a command injection vulnerability that affects Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit through R6.4.0.HF1 (R6.4.0.136)... Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025... This payload will attempt to fetch and execute a shell script called “bin.sh”, which will in turn fetch and execute Mirai malware on the target system.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
FBI Director Chris Wray last Wednesday disclosed an operation to disrupt a Mirai-variant botnet that has exploited more than 260,000 IoT devices globally.
The operator -- a Chinese-speaking actor using the handle angelalk21 (QQ: 597118859, Telegram: @Kuru_x86) -- runs a Mirai-fork botnet with a novel DNS byte-swap anti-analysis technique that causes passive DNS researchers to track decoy IPs in Japan and the US while the real C2 sits in Germany.
...ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.
Hackers are exploiting vulnerabilities in end-of-life GeoVision IoT devices and Samsung’s MagicINFO server to expand the Mirai botnet... Akamai observed attacks in April targeting GeoVision devices... to download and run an ARM variant of Mirai dubbed LZRD.
They have employed botnets such as those based on DieNet or Mirai variants for DDoS attacks...
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniquesvendors like one cybersecurity technology services company observed the use of botnets to automate the reconnaissance process to quickly identify vulnerable targets
Five days following the flaw’s disclosure, Cloudflare observed 400 exploitation attempts per second, totaling millions of scanning attempts to identify vulnerable systems.
Resource Development
2 techniquesBlack Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices... We call this botnet “Raptor Train.”
Mirai’s operators scanned the internet for IoT devices, including large numbers of IP-connected security cameras and DVRs, and compromised them at scale... Those compromised cameras were recruited into a botnet...
Initial Access
2 techniquesMirai’s operators scanned the internet for IoT devices, including large numbers of IP-connected security cameras and DVRs, and compromised them at scale by logging in with factory credentials that had never been changed.
Krell added that CVE-2026-41940 compromised approximately 44,000 cPanel servers less than a month ago, so a second critical zero-day in the same ecosystem is a pattern.
Execution
3 techniquesThere is no race condition to win, nor an authentication gap to bridge — a single malformed API call with the right parameter values is sufficient to escalate to root.
The attack begins with a compact shell script called Universal Bot Downloader that automatically identifies the victim system’s CPU architecture using the uname -m command.
Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0... This reflected the fact that exploitation of the flaw required low attack complexity, no privilege requirements, and no user interaction.
Persistence
1 techniquePrivilege Escalation
2 techniquesFirmware had no update path. And in 2016, Mirai – a botnet that exploited exactly those weaknesses – tore through connected devices worldwide.
Stealth
1 techniqueCredential Access
1 techniqueour research’s contribution lies in confirmatory validation: combining theoretical insights from prior literature with direct observation of real-world attack patterns to confirm the persistence of known behaviors, including credential brute-forcing, Mirai-style commands, and Telnet dominance
Discovery
2 techniquesMirai’s operators scanned the internet for IoT devices, including large numbers of IP-connected security cameras and DVRs...
The most frequent command was uname -s -v -n -r -m... Additional commands queried /proc/uptime and /proc/cpuinfo, counted processor cores using grep and wc -l, and inspected the operating system with uname -a and whoami.
Lateral Movement
1 techniqueloader/ Infects vulnerable devices using telnet brute-force
Command and Control
3 techniquesOver the years, IoT botnets have evolved from centralized command-and-control (C2) models toward resilient peer-to-peer infrastructures designed to sustain operations even after partial takedowns.
The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.
Itai Goldman, co-founder and CTO at Miggo Security, added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack.
Impact
2 techniquesA variant of Mirai called LiquorBot was used for cryptocurrency mining.
Those compromised cameras were recruited into a botnet used to launch some of the largest distributed denial-of-service attacks ever recorded, including the October 2016 attack against Dyn that took down Twitter, Reddit, Netflix, and large portions of internet infrastructure for hours.
IOCs tracked for this family
443 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced only via antivirus detection naming in the report; no direct behavioral discussion is provided.
Referenced only as an antivirus detection name associated with malware components in the report; no direct behavioral discussion is provided.
IoT botnet that compromised internet-exposed devices such as security cameras and DVRs using unchanged factory credentials, then recruited them to launch large-scale distributed denial-of-service attacks.
Botnet malware whose variants are being deployed through exploitation of CVE-2026-48172 on vulnerable LiteSpeed User-End cPanel Plugin installations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.