Daily Summary
Mirai activity surged to 100 new samples on June 7, 2026, a 40% increase above the 7-day average of 71. This marks a notable uptick driven by a shift toward more diverse ELF binary variants, while C2 infrastructure remained static with no new servers observed.
New Samples Detected
The sample set exhibited unusual diversity, with 65 ELF binaries dominating the count but accompanied by less common file types. Notably, .sh scripts (7 samples) and .sakura files (4 samples) appeared alongside niche architecture-targeted binaries like .arm7, .armv7l, .armv6l, .mips, .i686, and .x86 (2 each). The emergence of .sakura is atypical and may indicate a recycled build kit or an attempt to obfuscate payloads within less monitored file extensions. The .xml files (2 samples) could represent configuration or dropper metadata, though their low volume suggests limited deployment.
7-Day Trend
Today’s 100 samples exceed the 7-day average of 71 by 40%, a statistically significant deviation above the 25% threshold. This surge is not accompanied by new C2 servers, implying that existing infrastructure is being leveraged more aggressively rather than expanded. The spike may reflect automated re-propagation following a vulnerability scanner run or a resurgent IoT botnet campaign targeting unpatched devices.
IOC Highlights
All 100 samples are flagged as new IOCs, but no C2 domains or IPs were added. This decoupling of sample growth from infrastructure growth suggests the malware is reusing prior command channels or employing peer-to-peer communication. Security teams should prioritize blocking ELF binary downloads via common IoT attack vectors (Telnet, SSH brute force) and monitor for beaconing to known C2 clusters from prior weeks.
Security Analysis
The lack of new C2 servers alongside a 40% sample surge is a signature of automated, scanner-driven propagation rather than manual targeting. This pattern mirrors older Mirai variants like “Hajime” that relied on distributed peer networks. Actionable tip: Immediately review firewall rules for outbound connections on non-standard ports (2323, 7547, 5555) and deploy sinkhole monitoring on known C2 IPs from the last 30 days to detect reinfection waves. Do not assume the absence of new C2 indicates reduced risk; it may indicate a deliberate evasion tactic.