Daily Summary
Mirai sample collection surged to 100 new samples on 2026-05-31, a 75% increase over the 7-day average of 57. This marks a notable escalation in activity, driven primarily by a sharp rise in ELF binaries and scattered architecture-specific variants.
New Samples Detected
The sample pool today is dominated by .elf files (45), accounting for 45% of all detections, a significant jump from the recent average. This suggests a single or coordinated build campaign targeting broad Linux-based IoT platforms. Supporting architecture-specific variants include .tok (8), .mips (7), and .x86 (6), with smaller counts for .arm7 (5), .mpsl (4), .sh (4), .arm5 (3), .m68k (2), and .x64 (2). The presence of .tok (likely Tokay) and .sh shell scripts indicates the campaign may be testing under-represented architectures or preparing for wider distribution. Notably, no ARM64 samples were observed today, a departure from recent patterns.
7-Day Trend
With 100 samples versus the rolling average of 57, today’s activity exceeds the 25% deviation threshold. The 75% increase signals either an active botnet recruitment drive or automated packer rotation cycles. Context from prior surges (e.g., 2026-05-24’s 72-sample day) suggests this may be part of a recurring 7-9 day escalation window, possibly tied to new exploit attempts or updated variant builds.
C2 Infrastructure
No new C2 servers were detected today, which is unusual given the large sample volume. This may indicate that new samples are configured to use previously tracked infrastructure or rely on DGA-based domains. Analysts should verify if today’s samples resolve to known C2 IPs or exhibit alternate beaconing methods.
IOC Highlights
100 new file hashes were added to the IOC database, all tied to today’s sample surge. No domains or IPs are flagged, meaning the focus remains on payload acquisition. Security teams should prioritize blocking outbound connections from IoT devices to known Mirai sinkholes and scan for any of the new ELF hashes in internal asset inventories.
Security Analysis
The lack of new C2 servers alongside a 75% sample surge suggests this campaign is either reusing existing infrastructure or using ephemeral, domainless C2 techniques (e.g., P2P mesh or UPnP-based tunneling). This diverges from typical Mirai operations, which commonly rotate C2 on volume spikes. Defenders should monitor for unusual outbound traffic to ports 23, 2323, and 37215, and deploy network signatures for ELF downloads from known IoT exploit vectors, even if C2 domains appear static.