Daily Summary
Mirai activity surged on 2026-04-26 with 100 new samples detected, a 20% increase over the 7-day average of 83. This marks a notable escalation following a relatively stable week, driven by a diversified selection of compiled ELF variants.
New Samples Detected
The 100 new samples are exclusively ELF binaries compiled for 11 distinct architectures, with standard .elf files dominating at 41 samples. The remainder is spread across niche architectures: .mips (5), .mpsl (4), .arm7 (4), .m68k (4), .ppc (3), .arm6 (3), .arm5 (3), .arm (3), and .x86 (2). The broad architecture support, including older platforms like m68k and ppc, suggests targeting embedded and IoT devices with diverse hardware, likely from unpatched or legacy firmware.
Distribution Methods
No new distribution campaigns or delivery mechanisms were observed today. The sample file types align with Mirai’s standard propagation via self-replication or brute-forcing Telnet/SSH credentials on exposed devices. The absence of non-ELF payloads indicates no shift toward phishing or external dropper vectors.
Detection Rate
Current AV detection of Mirai variants is moderate, though the inclusion of less common architectures (m68k, mpsl) may allow some samples to evade signature-based engines optimized for x86 or ARM. These variants may test detection gaps in IoT-focused security solutions.
C2 Infrastructure
No new C2 servers were identified today. The existing C2 infrastructure remains stable, with no notable geographic shifts or domain churn. This suggests attackers are prioritizing payload distribution over refreshing command-and-control nodes.
7-Day Trend
Activity is ramping up, with today’s count exceeding the 7-day average by 20%. The week showed a gradual increase from below-average volumes mid-week to a sharp spike on the final day, indicating a possible campaign escalation.
Security Analysis
The surge in samples targeting multiple legacy architectures (m68k, ppc) contrasts with typical Mirai campaigns that favor x86 and ARM. This may reflect a pivot toward industrial or embedded systems with older chipsets, such as routers and ICS devices, which are often under-monitored. Defenders should verify that network segmentation isolates IoT and OT devices from general IT environments, and enforce strict credential hygiene on exposed Telnet/SSH ports to counter brute-force attempts.