Daily Summary
Today’s detection of 100 new Mirai samples represents a 75% increase over the 7-day average of 57, continuing a clearly rising trend. This spike is driven almost entirely by ELF variants, with minor contributions from shell scripts and legacy MIPS builds.
New Samples Detected
The sample distribution shows a heavy concentration on standard ELF binaries (45 files), accounting for nearly half of all detections. The remaining samples span a wide range of architectures, including 5 shell scripts, 4 MIPS, 3 each for ARMv7l, SH4, PowerPC, ARC, i486, and m68k, and 2 ARMv4l files. This architectural diversity suggests the threat actor is scanning broadly for vulnerable IoT devices across different platforms rather than focusing on a specific hardware niche. The inclusion of 5 shell scripts is notable, as these are less frequently used for initial payload delivery and may indicate a shift toward multi-stage infection chains.
7-Day Trend
The sharp uptick from a stable average of 57 samples to 100 today (a 75% rise) warrants attention. This type of volumetric increase typically correlates with either a newly exploited vulnerability gaining traction or a repackaging of existing malware families with updated evasion techniques. The absence of new C2 servers (0 today) suggests the added volume is being funneled through existing infrastructure rather than a coordinated new campaign launch by a different group.
IOC Highlights
All 100 samples are new IOCs today, but with zero new C2 servers detected, the focus shifts to the samples themselves. Analysts should prioritize triaging the ELF binaries for known Mirai variants like Satori, Reaper, or Qbot, as these often share codebases that can be identified through static analysis of function hashes or string patterns.
Security Analysis
The combination of rising sample volume with zero new C2 infrastructure suggests this actor is refreshing payloads while maintaining existing command channels, a tactic often seen during preparation for a larger-scale DDoS campaign. Defenders should monitor outbound connections from IoT devices to previously observed C2 IP blocks on ports 23, 2323, and 5555, and implement network segmentation to contain any potential infection spread before command activation. This pattern mirrors pre-attack build phases observed in 2020-era Mirai variants before major volumetric attacks.