Daily Summary
Today’s Mirai activity shows a significant surge with 100 new samples detected, a 75% increase over the 7-day average of 57. This marks the highest single-day count in the current reporting window and signals an active campaign push, likely tied to newly weaponized exploits or refreshed C2 infrastructure.
New Samples Detected
The sample set is dominated by ELF binaries across multiple architectures, with no single file type exceeding 9 samples. The .elf (9), .mpsl (8), .mips (7), .arm7 (7), and .x86_64 (7) variants are evenly distributed, suggesting a broad targeting strategy rather than focused exploitation of a specific IoT platform. This distribution is typical of automated cross-compilation pipelines used in botnet recruitment.
Distribution Methods
Given the volume and architectural diversity, distribution likely relies on automated scanning and exploitation of unpatched telnet/SSH credentials, possibly combined with recent vulnerability exploits for routers or IoT devices. The absence of non-executable file types (e.g., .txt, .bin) indicates direct binary delivery via wget or curl commands from compromised hosts.
Detection Rate
Based on the high sample count and consistent architectural coverage, many of these samples are likely repackaged variants of known Mirai strains. However, the surge suggests a subset may be evading signature-based detection through minor code obfuscation or changed hash values. SOC analysts should expect initial low detection rates for fresh samples until AV vendors update signatures.
C2 Infrastructure
No new C2 servers were identified today, and the C2 count remains at zero. This could indicate that operators are reusing existing infrastructure, or that C2 domains are being served via fast-flux DNS or DGA (domain generation algorithms), complicating tracking efforts.
7-Day Trend
Activity has ramped up sharply from a relatively steady week, with today’s 100 samples far exceeding the daily average of 57. This spike suggests a coordinated botnet recruitment drive rather than background noise.
Security Analysis
A notable observation is the lack of a dominant architecture, which contrasts with typical Mirai campaigns that heavily favor ARM or MIPS. Today’s balanced distribution suggests the operators may be testing or validating a new cross-compilation toolchain. This could precede a broader weaponization campaign against less common architecture targets. Recommendation: Harden perimeter devices by enforcing strict egress filtering for outbound connections on ports 23, 80, and 443 from IoT subnets, and audit logs for repeated failed login attempts to telnet/SSH services.