Daily Summary
Today’s Mirai sample count reached 100, a 75% increase over the 7-day average of 57, indicating sustained offensive activity. This surge is primarily driven by new ELF binary variants, suggesting actors are aggressively refreshing their botnet arsenals.
New Samples Detected
ELF files dominate with 32 samples, representing the core infection vector. Shell scripts (.sh) account for 6 samples, likely used for initial payload delivery and environment setup. Architecture-specific variants target a wide range of IoT hardware: Motorola 68000 (.m68k) at 5, Intel 486 (.i486) and SuperH (.sh4) at 4 each, with MIPS (.mips), Intel 686 (.i686), PowerPC (.ppc), ARM7 (.arm7), and ARM6 (.arm6) at 3 each. This broad architecture support suggests attackers are scanning for any unpatched embedded device, from routers to IP cameras.
Distribution Methods
The presence of shell scripts indicates initial compromise may involve command injection or weak credential exploitation, followed by wget or curl to pull ELF binaries. The absence of archive or document file types points to direct network-based delivery rather than phishing. This aligns with Mirai’s historical reliance on scanning for default credentials and telnet/SSH access.
Detection Rate
Detection rates remain uneven due to the diversity of architecture-specific builds. While generic ELF signatures catch many variants, custom-compiled payloads for niche architectures like m68k or sh4 may evade major AV engines until signature updates propagate. SOCs should deploy behavioral analysis rules for unexpected outbound connections on non-standard ports from IoT devices.
C2 Infrastructure
No new C2 servers were recorded today. The 100 new IOCs likely represent hashes and URLs from a stable C2 infrastructure. This pause may indicate actors are focusing on payload distribution rather than rotating command nodes. Consistent C2 addresses are a defensive advantage for blocking.
7-Day Trend
Today’s 100 samples sharply exceed the week’s daily average of 57, marking a clear escalation. This could reflect a new campaign ramp-up or seasonal targeting of vulnerable IoT devices in certain regions.
Security Analysis
A notable behavioral shift is the even distribution across eight CPU architectures, a departure from past Mirai variants that concentrated on ARM and MIPS. This broad targeting suggests actors are casting a wider net, possibly automating cross-compilation for all available builds. Defenders should inventory all IoT device types on their network and ensure firmware updates are applied, particularly for rare architectures that may lack vendor patches. Actionable recommendation: Restrict outbound traffic from IoT subnets to only necessary DNS and NTP services to contain potential C2 communication.