Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new Mirai campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances.
The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (DDoS) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Akamai reports Mirai campaign targeting D-Link devices
Akamai published research describing a Mirai campaign exploiting CVE-2025-29635 to target D-Link 823X series routers. The report highlighted continued abuse of older, unpatched or retired IoT devices as part of ongoing botnet activity.
Unit 42 reports exploitation attempts against TP-Link routers
Palo Alto Networks Unit 42 reported active attempts to exploit CVE-2023-33538, a command injection flaw affecting several end-of-life TP-Link routers. The payloads resembled Mirai-like botnet malware, though Unit 42 said the observed attempts were unsuccessful.
The Register reports new Mirai botnet spreading via end-of-life IP cameras
The Register reported that end-of-life IP cameras were being used to propagate a new Mirai botnet. This represents a distinct later-stage Mirai IoT campaign development focused on unsupported camera devices.
Ars reports DDoS botnets exploiting Zyxel devices via critical flaw
Ars Technica reported that DDoS botnets were continuing to compromise Zyxel devices affected by a critical vulnerability. This adds Zyxel as a distinct targeted vendor in the Mirai-style IoT botnet exploitation timeline.
Unit 42 publishes analysis of Mirai IoT exploit campaign
Palo Alto Networks Unit 42 published a report describing a Mirai variant campaign leveraging multiple IoT exploits to target internet-connected devices. The reference indicates public disclosure of the campaign analysis but provides no additional dated milestones in the supplied content.
Fortinet reports Beastmode Mirai exploiting TOTOLINK vulnerabilities
Fortinet threat research disclosed that the Beastmode Mirai campaign was leveraging vulnerabilities in TOTOLINK devices. This added a distinct vendor and exploit set to the documented Mirai-family targeting activity.
Unit 42 reports Mirai and Gafgyt targeting Apache Struts and SonicWall
Unit 42 reported new Mirai and Gafgyt variants exploiting enterprise-facing targets in addition to typical IoT devices, including Apache Struts CVE-2017-5638 and SonicWall GMS CVE-2018-9866. The report linked the botnets through overlapping infrastructure and highlighted a shift toward abusing outdated enterprise systems alongside routers, DVRs, and NVRs.
Fortinet reports Satori exploiting wireless IP cameras
Fortinet published threat research describing the Satori botnet adding a known exploit chain to enslave wireless IP cameras. This represents a distinct Mirai-family campaign development predating the later Unit 42 analysis.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CVE-2025-29635: Mirai Campaign Targets D-Link Devices | Akamai
akamai.com
Open sourceTP-Link routers face exploitation attempt linked to high-severity flaw | Cybersecurity Dive
cybersecuritydive.com
Open sourceEnd-of-life IP cams being used to spread new Mirai botnet
theregister.com
Open sourceZyxel users still getting hacked by DDoS botnet emerge as public nuisance No. 1 - Ars Technica
arstechnica.com
Open sourceIoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
unit42.paloaltonetworks.com
Open sourceMirai Variant V3G4 Targets IoT Devices
unit42.paloaltonetworks.com
Open sourceFresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
fortinet.com
Open sourceMulti-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
researchcenter.paloaltonetworks.com
Open sourceSatori Adds Known Exploit Chain to Enslave Wireless IP Cameras
fortinet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026
Mirai IoT Botnet Fueled Record DDoS Attacks and Widespread Internet Outages
The **Mirai** malware turned insecure internet-connected devices into massive DDoS botnets that powered some of the largest attacks publicly reported, including floods against **OVH**, **KrebsOnSecurity**, and DNS provider **Dyn**. The botnet spread by logging into exposed IoT devices such as cameras, DVRs, routers, and gateways with hardcoded or default credentials, and defenders later warned that products including certain **Sierra Wireless AirLink** gateways could be conscripted if factory passwords were left unchanged. After the malware’s source code was released publicly under the alias **"Anna-senpai"**, multiple actors were able to build copycat botnets, increasing attack volume and complicating attribution. The Dyn attack disrupted access to major online services including **Twitter, Spotify, Reddit, GitHub, Airbnb, Shopify, SoundCloud, and The New York Times**, with Dyn describing a highly distributed, adaptive campaign delivered in several waves from vast numbers of IP addresses. Investigative reporting tied Mirai’s origins to the DDoS-for-hire and Minecraft-hosting ecosystem and presented evidence linking the **Anna-senpai** persona to **Paras Jha** and associates, while later reporting showed Mirai variants continued launching attacks long after the original incidents. Researchers identified limited countermeasures, including crashing some bots via a flaw in Mirai’s HTTP flood code and traceback methods for DNS amplification traffic, but the broader risk persisted because vulnerable IoT devices remained widely deployed and malware authors could quickly adapt.
May 25, 2026
ShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named **ShadowV2** was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (`binary.sh`) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions. The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as `CVE-2024-10914` and `CVE-2024-10915`, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
Mar 21, 2026