Daily Summary
Mirai activity surged sharply on 2026-05-03 with 100 new samples detected, a 75% increase over the 7-day average of 57. This marks a notable escalation in the family’s output, indicating renewed operational tempo.
New Samples Detected
The sample set is dominated by 45 generic .elf files, with architecture-specific variants distributed evenly across .i686, .arm7, .mips, .x86, .sh4 (4 each), and smaller counts for .mpsl, .spc, .i486, .ppc (3 each). The diversity of CPU architectures suggests targeting of routers, IoT devices, and embedded systems across multiple hardware platforms. No shift in naming patterns was observed, but the balanced spread of non-ELF targets hints at a deliberate campaign to cover older or niche device profiles.
Distribution Methods
File types indicate delivery via direct download links or exploit kits that dynamically serve architecture-specific binaries after fingerprinting the victim device. The absence of common script-based delivery (e.g., .sh or .py wrappers) suggests these samples may be delivered through automated scanning and credential brute-forcing attacks against exposed Telnet/SSH services, a hallmark Mirai tactic.
Detection Rate
The 100 new IOCs suggest that many of today’s samples may still be undetected by mainstream AV engines, as signature-based detection often lags behind fresh builds. SOC teams should assume low to moderate detection rates for these variants, especially the .mips and .spc builds which target less-common architectures that receive less frequent signature updates.
C2 Infrastructure
No new C2 servers were logged today, indicating that operators are reusing existing infrastructure. This may reflect a preference for stable command channels or a consolidation of resources post-campaign. Without new domains or IPs, pivoting on historical C2 connections becomes critical for threat hunting.
7-Day Trend
Activity is clearly ramping up, with today’s 100 samples well above the 7-day average of 57. Consistent growth over the week suggests an ongoing campaign rather than a one-time burst, warranting heightened alert for ongoing exploitation attempts.
Security Analysis
The even distribution across nine distinct architectures is atypical for Mirai, which usually leans heavily on .mips and .arm. This spread may indicate a retooled scanning engine that probes for vulnerable device models more systematically. Furthermore, the absence of new C2 servers combined with fresh samples suggests operators are testing variants against existing infrastructure before committing to new channels. Actionable recommendation: Enforce geo-blocking for outbound traffic from IoT segments to known Mirai C2 IPs, and monitor for increased Telnet/SSH brute-force attempts on non-standard ports, as today’s spike likely precedes a wave of exploitation.