Daily Summary
Mirai activity surged to 100 new samples today, marking a 75% increase above the 7-day average of 57. This spike continues a rising trend observed over the past week, with no new C2 infrastructure deployed to support the increase.
New Samples Detected
Of the 100 new samples, ELF binaries for Linux-based architectures dominate at 87, consistent with Mirai’s primary targeting of IoT devices. Supporting architectures include one sample each for PPC, x86_64, x86, SH4, MIPS, MPSL, ARM6, ARM5, and ARM7. No shift in packaging or naming is evident the samples all follow standard compiled binary formats.
Distribution Methods
Delivery remains primarily via automated scanning and exploitation of unpatched IoT devices, reflecting Mirai’s reliance on brute-force SSH/Telnet attacks and known vulnerability exploits. The diverse architecture support indicates a broad targeting strategy across routers, cameras, and other embedded systems.
Detection Rate
Current detection coverage is moderate. While signature-based engines catch older variants, the influx of 100 new samples suggests newer builds may evade some static detection due to polymorphic obfuscation or altered command sequences. SOC teams should expect a window of reduced detection for freshly compiled binaries.
C2 Infrastructure
No new C2 servers were reported today. This is notable the surge in samples is not accompanied by additional infrastructure, suggesting either re-use of existing servers or a delayed deployment phase. Activity remains contained to known C2 nodes with no geographic shift.
7-Day Trend
The 75% increase over the 7-day average accelerates what was a steady upward trajectory earlier in the week. The trend indicates active development and deployment cycles, likely in response to recent IoT vulnerability disclosures.
Security Analysis
The absence of new C2 servers alongside a sample surge is an unusual pattern for Mirai. Historically, sample volume spikes correlate with fresh C2 provisioning to avoid takedown. This may indicate operators are stress-testing sample distribution before rotating infrastructure, or that existing servers are under-utilized. Defensive recommendation: immediately block known C2 IPs from prior samples and monitor for outbound connections to ports 23 and 2323 these are common Mirai command channels even without new server registration.