Daily Summary
Mirai sample volume rose to 100 on 2026-06-14, a 17% increase over the 7-day average of 86. The uptick is driven entirely by a diverse spread of ELF architecture variants, with no new C2 infrastructure observed. This suggests attackers are expanding targeting coverage rather than deploying novel capabilities.
New Samples Detected
A total of 100 samples were logged, with architecture diversity notably broad. ELF binaries dominate at 37, but the presence of multiple MIPS variants (.mpsl: 6, .mips: 5), PowerPC (4), ARM7 (4), ARM5 (3), ARM (3), and SH variants (sh4: 3, sh: 3) indicates deliberate cross-platform compilation. The inclusion of x86 (4) is worth flagging - x86-based Mirai is less common in IoT targets and may indicate testing against virtualized or containerized environments. No single architecture exceeds previous baselines, but the breadth of the distribution suggests a single automated build pipeline feeding multiple targets.
IOC Highlights
All 100 new IOCs are linked to the sample pool, with no net-new C2 infrastructure identified. This is consistent with reusing existing command nodes or sinkholed IPs. Analysts should focus on blocking the sample hashes - particularly the x86 and MIPS variants - as they may represent early probes into less-monitored segments.
Security Analysis
The lack of new C2 servers against a rising sample count is atypical for active Mirai campaigns. This pattern aligns with a “wide net” strategy: threat actors distribute numerous architecture-compiled binaries to probe for weak credentials, relying on existing C2 channels to handle callback. Defenders should prioritize network-level blocking of known Mirai C2 IPs from the past 30 days, as the surge in samples is likely a precursor to coordinated scanning and credential-stuffing activity.