Daily Summary
Mirai activity surged to 100 new samples, marking a 25% increase over the 7-day average of 80. This rise indicates renewed campaign efforts, likely tied to exploitation of recently disclosed IoT vulnerabilities. No new C2 servers were observed, suggesting reliance on previously established infrastructure.
New Samples Detected
The sample set is heavily weighted toward embedded architecture binaries: .elf (22), .mips (8), .mpsl (7), .x86_64 (7), with .arm variants collectively totaling 24. This distribution mirrors typical Mirai targeting of diverse IoT hardware. The slight reduction in .mips share compared to prior weeks may reflect shifting exploit patterns toward ARM-based devices.
Distribution Methods
Based on the file type profile, delivery likely occurs via automated scanning and exploitation of telnet/SSH weak credentials or unpatched vulnerabilities in routers and cameras. The prevalence of static ELF binaries suggests direct HTTP or wget-based downloads from compromised hosts, with no obfuscated payloads indicating faster, less stealthy deployment.
Detection Rate
Current AV detections for these Mirai variants remain moderate, as most signatures target known command-and-control (C2) domains rather than polymorphic payloads. The consistent use of common file names like mirai.arm and bot.elf reduces evasion, but new samples compiled with minimal alterations may still bypass heuristic engines.
C2 Infrastructure
No new C2 servers were identified today. All observed activity relies on previously cataloged IPs and domains, consistent with Mirai’s tendency to leverage stable hosters in Eastern Europe and Russia. The lack of new domains suggests operators are consolidating control channels rather than expanding.
7-Day Trend
The 25% surge above the weekly average breaks a three-day downward trend. Activity appears cyclical, with spikes coinciding with automated exploit scans that peak on weekends when IoT devices may be less monitored.
Security Analysis
A notable non-obvious observation is the minor uptick in .x86 and .x86_64 samples (13 total), which deviates from Mirai’s typical embedded focus. This may indicate testing on PC-based honeypots or a shift toward targeting virtualized IoT environments. Defenders should block outbound connections on ephemeral ports (1024-65535) from IoT subnets to known Mirai C2 IPs, and immediately patch disclosed vulnerabilities in popular router models (e.g., CVE-2026-XXXX variants).