Mirai IoT Botnet Fueled Record DDoS Attacks and Widespread Internet Outages
The Mirai malware turned insecure internet-connected devices into massive DDoS botnets that powered some of the largest attacks publicly reported, including floods against OVH, KrebsOnSecurity, and DNS provider Dyn. The botnet spread by logging into exposed IoT devices such as cameras, DVRs, routers, and gateways with hardcoded or default credentials, and defenders later warned that products including certain Sierra Wireless AirLink gateways could be conscripted if factory passwords were left unchanged. After the malware’s source code was released publicly under the alias "Anna-senpai", multiple actors were able to build copycat botnets, increasing attack volume and complicating attribution.
The Dyn attack disrupted access to major online services including Twitter, Spotify, Reddit, GitHub, Airbnb, Shopify, SoundCloud, and The New York Times, with Dyn describing a highly distributed, adaptive campaign delivered in several waves from vast numbers of IP addresses. Investigative reporting tied Mirai’s origins to the DDoS-for-hire and Minecraft-hosting ecosystem and presented evidence linking the Anna-senpai persona to Paras Jha and associates, while later reporting showed Mirai variants continued launching attacks long after the original incidents. Researchers identified limited countermeasures, including crashing some bots via a flaw in Mirai’s HTTP flood code and traceback methods for DNS amplification traffic, but the broader risk persisted because vulnerable IoT devices remained widely deployed and malware authors could quickly adapt.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Krebs report links 'Anna-Senpai' identity to Paras Jha and Mirai ecosystem
An investigative report published in January 2017 tied the Mirai author alias 'Anna-Senpai' to Paras Jha and linked Mirai's development and use to the DDoS-for-hire and Minecraft server protection ecosystem. The report also connected the alias cluster to extortion, anti-competitive attacks, and abuse campaigns against rival botnets, while Jha denied writing Mirai.
Mirai-linked DDoS attacks disrupt Liberia's national internet connectivity
In late October 2016, sustained DDoS attacks reportedly using the Mirai botnet targeted two companies that co-owned Liberia's only fiber connection, severely disrupting the country's internet access. Security researchers said the attacks exceeded 500-600 Gbps, showing that Mirai operators could significantly affect a nation's connectivity infrastructure.
StarHub experiences DNS disruptions traced to infected IoT devices
On October 22 and again on October 24, 2016, Singapore ISP StarHub suffered DNS-service disruptions that it traced to malware-infected IoT devices belonging to home broadband subscribers. The specific malware was not publicly identified.
Dyn and investigators link attack traffic to Mirai botnets
During the Dyn outage response, Dyn and outside investigators said some of the malicious traffic came from Mirai-infected IoT devices. Flashpoint reported the infrastructure involved was Mirai-linked and distinct from the botnets previously used against Brian Krebs and OVH, while U.S. authorities including DHS began investigating.
Dyn suffers multi-wave DDoS attack causing major internet outages
On October 21, 2016, DNS provider Dyn was hit by several waves of DDoS traffic that disrupted access to major sites including Twitter, Spotify, Reddit, GitHub, Airbnb, and the New York Times. Dyn described the attack as highly distributed and adaptive, with U.S. users especially affected.
Sierra Wireless warns Mirai is infecting default-configured gateways
Sierra Wireless alerted customers that Mirai was compromising certain AirLink gateway models that still used factory-default credentials. ICS-CERT said the issue stemmed from weak configuration rather than a product flaw, and advised changing credentials and rebooting infected devices.
Mirai source code released publicly by 'Anna-senpai'
After Mirai had already been used in major attacks, its source code was publicly released on GitHub by the actor using the alias 'Anna-senpai.' Reporting said the botnet had previously controlled hundreds of thousands of IoT devices and that the release likely complicated attribution and enabled copycat botnets.
OVH hit by record DDoS from 152,000 compromised IoT devices
In late September 2016, hosting provider OVH was struck by record-breaking DDoS attacks peaking near 1 Tbps. Reports said the traffic came from a botnet of more than 152,000 hacked IoT devices such as cameras and DVRs.
KrebsOnSecurity knocked offline by 620 Gbps IoT botnet DDoS
In September 2016, KrebsOnSecurity was hit by a record 620 Gbps DDoS attack that forced Akamai to stop providing protection because of the attack's scale and cost. Reporting attributed the assault largely to a botnet of compromised IoT devices such as routers, cameras, and DVRs, and linked it to retaliation after coverage of the vDOS service.
Researchers highlight defensive techniques against Mirai-driven attacks
By May 2026, defenders had publicized two notable countermeasures: a stack buffer overflow in Mirai's HTTP flood code that could crash attacking bots, and a CISPA-developed traceback method for identifying the origins of DNS amplification attacks. Reporting noted these measures could help mitigation but were not complete solutions because Mirai variants could be patched and vulnerable IoT devices remained widespread.
Sources
24 references tracked. Mallory keeps watching after this page renders.
Mirai Malware Is Still Launching DDoS Attacks
bankinfosecurity.com
Open sourceDistributed Denial-of-Service (DDoS) | Flashpoint
flashpoint-intel.com
Open sourceMirai botnet behind the largest DDoS attack to date - Help Net Security
helpnetsecurity.com
Open sourceThe Mirai botnet explained: How IoT devices almost brought down the internet | CSO Online
csoonline.com
Open sourceWorld's largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices
thehackernews.com
Open sourceThe Democratization of Censorship - Krebs on Security
krebsonsecurity.com
Open sourceKrebsOnSecurity Hit With Record DDoS - Krebs on Security
krebsonsecurity.com
Open sourceIoT Home Router Botnet Leveraged in Large DDoS Attack
blog.sucuri.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new **Mirai** campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances. The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (**DDoS**) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
May 25, 2026
ShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named **ShadowV2** was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (`binary.sh`) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions. The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as `CVE-2024-10914` and `CVE-2024-10915`, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
Mar 21, 2026
Aisuru Botnet Launches Record-Breaking DDoS Attacks and Expands to Residential Proxy Services
The Aisuru botnet, a Mirai-based IoT malware network, has been responsible for a series of unprecedented distributed denial-of-service (DDoS) attacks, with some exceeding 20 terabits per second and 4 gigapackets per second. These attacks have primarily targeted online gaming platforms and have caused significant disruptions for broadband providers, with infected consumer routers, CCTV/DVRs, and other vulnerable devices being leveraged to generate massive traffic floods. The botnet's operators have avoided government and military targets, focusing instead on commercial and consumer-facing services, and have demonstrated the ability to overwhelm network infrastructure, including causing router line card failures at ISPs. In addition to its DDoS capabilities, Aisuru has recently shifted towards monetizing its vast network of compromised devices by renting them out as residential proxies. This move has enabled cybercriminals to anonymize their traffic, facilitating large-scale data harvesting and content scraping operations, often tied to artificial intelligence projects. The proliferation of Aisuru-controlled proxies has made it easier for malicious actors to evade detection by routing their activities through what appear to be legitimate residential connections, further complicating mitigation efforts for ISPs and targeted organizations.
Mar 21, 2026