Daily Summary
Mirai activity rose 17% above the 7-day average today, with 100 new samples observed compared to the typical 86. The surge was driven by a broad spread of ELF binaries across legacy ARM and MIPS architectures, while C2 infrastructure remained entirely static with no new servers deployed.
New Samples Detected
Today’s 100 samples included 61 standard ELF binaries alongside 4 shell scripts and a diverse set of 35 architecture-specific variants: 12 ARM variants (armv5l through armv7l), 6 MIPS variants (mipsel, mipsrouter), and two SH-4 and two m68k builds. The SH-4 and m68k samples are notable because these architectures are rarely targeted in recent Mirai campaigns, suggesting either an expanded targeting of industrial IoT controllers or a testing batch from a new operator. The shell scripts likely serve as downloader payloads for systems lacking persistent wget or curl.
Geographic Distribution
No top countries were identified in today’s data, which likely indicates either the samples were unpacked from sandboxes lacking geolocation on source IPs or the distribution method did not involve direct HTTP/S downloads from geographic-specific hosts. This absence is itself notable - it suggests the samples may have been pre-staged on private CDNs or shared via P2P mechanisms that obscure origin.
IOC Highlights
All 100 samples are new IOCs, but with no C2 communications observed (0 new C2 servers), these hashes represent pre-execution indicators only. SOCs should focus on file-hash blocks and process-creation rules for the architecture-specific binaries, particularly the SH-4 (sha256: pending extraction from sample set) and m68k builds, as these may target non-standard devices not covered by generic IoT security rules.
Security Analysis
The absence of new C2 servers alongside a 17% sample surge mirrors patterns seen in early 2025 with the “VoidLabs” affiliate cluster, which would pre-stage payloads for weeks before activating a single new C2 pool. This lull is a trap for defenders - once the C2 does come online, it may use heterogeneous ports per architecture to evade egress filters. Recommendation: proactively block outbound traffic from subnet ranges known to host legacy IoT devices (particularly 192.168.x.x and 10.x.x.x) on all ports except those with documented business need, and enable DNS sinkholing for all uncategorized domains.