Mirai
Mirai is an IoT botnet malware family best known for compromising internet-exposed devices such as IP cameras, DVRs, routers, and other embedded Linux systems, primarily by scanning for devices with default or weak credentials and enrolling them into a botnet for distributed denial-of-service operations. The content repeatedly associates Mirai with large-scale exploitation of insecure IoT deployments and notes that its operators scanned the internet for exposed devices, including security cameras and DVRs, and logged in with factory credentials that had not been changed. The malware is directly linked to the October 2016 attack on DNS provider Dyn, where compromised IoT devices generated multi-vector DDoS traffic, including pseudo-random subdomain requests described as DNS water torture, causing major outages affecting services such as Twitter, Reddit, GitHub, and other internet infrastructure.
The content indicates that Mirai remains highly relevant nearly a decade later through continuing circulation of Mirai variants and derivative botnets. Multiple campaigns and malware families are described as derived from, incorporating code from, or built on the Mirai framework, including TerraBot, Aquabot, Chalubo code overlap, and other Mirai/Gaafgyt-style botnet activity. The material also references active exploitation chains in 2026 where Mirai or Mirai variants were deployed after initial compromise of exposed infrastructure, including Ubiquiti UniFi OS exploitation, cPanel/WHM compromise via CVE-2026-41940, and LiteSpeed User-End cPanel Plugin exploitation via CVE-2026-48172. One cited campaign deployed a Mirai variant named nuclear.x86 after initial compromise. The content also notes Fortinet detections including ELF/Mirai.EGX!tr.
Mirai is associated in the content with exploitation patterns against exposed routers and IoT devices, especially where default credentials, weak hardening, or known router vulnerabilities are present. The reporting highlights longstanding Mirai-style targeting of D-Link routers and DD-WRT devices, and repeatedly emphasizes that descendants of Mirai still scan the internet automatically for devices with default passwords. The malware family is also referenced in relation to broader IoT botnet ecosystems used by pro-Russian actors and hacktivist-adjacent infrastructure, though the content specifically states Killnet sub-groups leverage IoT botnet infrastructures such as Mirai rather than attributing Mirai itself to a single state actor.
High-confidence indicators and artifacts mentioned in the content are limited because most references are contextual rather than sample-specific, but the material does include the variant name nuclear.x86 and the Fortinet detection name ELF/Mirai.EGX!tr. Overall, the content characterizes Mirai as a foundational and still-active IoT botnet family whose core tradecraft is mass scanning, default-credential compromise, bot enrollment, and DDoS, with enduring influence across later botnet variants and exploitation campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
33 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On May 21, 2026, Ubiquiti published Security Advisory Bulletin 064 (SAB-064) for Ubiquiti UniFi OS servers which identified three vulnerabilities CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each rated CVSS base score of 10.0. These vulnerabilities can be chained together to allow an attacker unauthenticated remote code execution with full root privileges. | Reported activity includes a Mirai/Gaafgyt botnet campaign, making immediate patching and post-compromise investigation and remediation critical for all affected organizations.
On May 21, 2026, Ubiquiti published Security Advisory Bulletin 064 (SAB-064) for Ubiquiti UniFi OS servers which identified three vulnerabilities CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each rated CVSS base score of 10.0. These vulnerabilities can be chained together to allow an attacker unauthenticated remote code execution with full root privileges. | Reported activity includes a Mirai/Gaafgyt botnet campaign, making immediate patching and post-compromise investigation and remediation critical for all affected organizations.
On May 21, 2026, Ubiquiti published Security Advisory Bulletin 064 (SAB-064) for Ubiquiti UniFi OS servers which identified three vulnerabilities CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each rated CVSS base score of 10.0. These vulnerabilities can be chained together to allow an attacker unauthenticated remote code execution with full root privileges. | Reported activity includes a Mirai/Gaafgyt botnet campaign, making immediate patching and post-compromise investigation and remediation critical for all affected organizations.
3.2.1 IMPROPER ACCESS CONTROL CWE-284 Visiting through the browser or doing curl on the vulnerable host at Port 9000 responds with JSON body, revealing information about deployed GPS devices. CVE-2020–17483 has been assigned to this vulnerability.
There is also a separate campaign that deployed a Mirai botnet variant called nuclear.x86 after initial compromise.
https://www.akamai.com/blog/security-research/cve-2023-26801-exploited-spreading-mirai-botnet | LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw is a maximum-severity privilege escalation vulnerability (CVSS v4.0: 10.0) residing in the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4... Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.” | Active exploitation has been observed deploying Mirai botnet variants and a ransomware strain called “Sorry.”
The primary vulnerability at the center of the event and this review (CVE-2021-44228) will be known as the Log4j vulnerability... Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0. | Cisco Talos observed the Internet-of-Things botnet known as Mirai exploiting Log4j;
We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware. | CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Instead, they were either non-specific Mirai variants or contained previously known exploits such as CVE-2017-17215. | We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware.
Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. | The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025. Palo Alto Networks telemetry detected large-scale exploitation attempts at the time.
Following that, cybersecurity teams warned about multiple botnets, including three Mirai variants ... that targeted unpatched devices. | Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017. | CVE-2017-6884 Zyxel routers GET /cgi-bin/luci/... nslookup ? ...
This led to their participation in a Thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016. | The Janit0r took it upon himself to destroy IoT devices so they couldn’t become infected by Mirai, starting with the “colossally dangerous CVE-2016-10372 situation.” The situation referenced was considered dangerous because it allowed attackers to send remote commands to affected devices from anywhere on the Internet (WAN port) and then reconfigure the devices to allow further remote access.
The exploit targeting Apache Struts in the new variant we found targets CVE-2017-5638, an arbitrary command execution vulnerability via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. | Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These variants are notable for two reasons: The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017. | CVE-2018-10561, CVE-2018-10562 Dasan GPON routers Similar to previous campaigns.
Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device. | Mirai Botnet (new variants) — GPON exploit has also been integrated into a few new variants (operated by different hacking groups) of the infamous Mirai IoT botnet, which was first emerged and open-sourced in 2016 after it was used to launch record-breaking DDoS attacks.
Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635, a command-injection vulnerability in legacy D-Link DIR-823X routers, to recruit internet-exposed devices into a distributed denial-of-service (DDoS) botnet. | Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635... Attackers deploy a Mirai malware variant known as “tuxnokill,” which establishes command-and-control (C2) communication, spreads to additional vulnerable IoT devices, and prepares infected systems for large-scale DDoS operations.
The first major wave of such activity was exemplified by the Mirai botnet, which demonstrated how trivial authentication weaknesses could generate terabit-scale attacks targeting global infrastructure.
The first major wave of such activity was exemplified by the Mirai botnet, which demonstrated how trivial authentication weaknesses could generate terabit-scale attacks targeting global infrastructure.
CVE-2022-36553: A command injection vulnerability in the popen.cgi component of Hytec Inter HWL-2511-SS devices allows an authenticated attacker to execute arbitrary commands.
CVE-2025-9528: A vulnerability in the Linksys E1700 router's systemCommand function allows an authenticated remote attacker to perform OS command injection.
CVE-2024-3721: A critical command injection vulnerability in certain TBK DVR models allows an unauthenticated remote attacker to execute arbitrary commands via crafted HTTP requests.
CVE-2025-4008: A command injection vulnerability in the web interface of Meteobridge allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
CVE-2025-34043: A remote command injection vulnerability in Vacron Network Video Recorder (NVR) devices allows unauthenticated attackers to execute arbitrary commands on the operating system.
CVE-2014-3206: Seagate BlackArmor NAS products are vulnerable to remote command execution via the session and auth_name parameters in certain web endpoints.
CVE-2020-10987: The setUsbUnload endpoint in Tenda AC15 and AC1900 routers contains a command injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary system commands.
CVE-2020-9054: A command injection vulnerability in the weblogin.cgi component of multiple Zyxel NAS products allows an unauthenticated remote attacker to execute arbitrary OS commands.
CVE-2024-10914: An unauthenticated remote command injection vulnerability in legacy D-Link NAS devices, particularly in the account_mgr.cgi script, allows an attacker to execute arbitrary shell commands.
CVE-2023-41011: A command execution vulnerability in the shortcut_telnet.cg component of the China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code.
CVE-2013-1599: A command injection vulnerability in the rtpd.cgi component of D-Link IP Cameras allows an unauthenticated remote attacker to execute arbitrary commands via a crafted query string.
CVE-2023-23333: A command injection vulnerability in downloader.php within SolarView Compact devices allows an unauthenticated remote attacker to execute arbitrary commands.
CVE-2022-40619: A firewall authentication bypass vulnerability affects FortiGate, FortiProxy, and FortiSwitchManager, allowing an attacker to perform operations on the administrative interface.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Even Killnet relies on volunteer cyber partisans, but its structure also includes dedicated sub-groups leveraging IoT botnet infrastructures such as Mirai.
FBI Director Chris Wray last Wednesday disclosed an operation to disrupt a Mirai-variant botnet that has exploited more than 260,000 IoT devices globally.
The operator -- a Chinese-speaking actor using the handle angelalk21 (QQ: 597118859, Telegram: @Kuru_x86) -- runs a Mirai-fork botnet with a novel DNS byte-swap anti-analysis technique that causes passive DNS researchers to track decoy IPs in Japan and the US while the real C2 sits in Germany.
...ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.
Hackers are exploiting vulnerabilities in end-of-life GeoVision IoT devices and Samsung’s MagicINFO server to expand the Mirai botnet... Akamai observed attacks in April targeting GeoVision devices... to download and run an ARM variant of Mirai dubbed LZRD.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques
Reconnaissance
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
There is no race condition to win, nor an authentication gap to bridge — a single malformed API call with the right parameter values is sufficient to escalate to root.
The attack begins with a compact shell script called Universal Bot Downloader that automatically identifies the victim system’s CPU architecture using the uname -m command.
Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0... This reflected the fact that exploitation of the flaw required low attack complexity, no privilege requirements, and no user interaction.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
1 technique
Credential Access
our research’s contribution lies in confirmatory validation: combining theoretical insights from prior literature with direct observation of real-world attack patterns to confirm the persistence of known behaviors, including credential brute-forcing, Mirai-style commands, and Telnet dominance
Discovery
2 techniques
Discovery
Command and Control
3 techniques
Command and Control
This isn’t hypothetical — it’s the entire history of IoT botnets, from Mirai in 2016 through the Aisuru and RondoDox campaigns still running in 2025–2026, which scan the internet for devices with default passwords and enroll them automatically.
Impact
4 techniques
Impact
A variant of Mirai called LiquorBot was used for cryptocurrency mining.
NoName057(16) has been one of the most active collective targeting western companies and institutions with DDoS attacks... abusing computational resources to direct bot-based denial of service attack against western representative organizations.
IOCs tracked for this family
474 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A foundational IoT botnet family referenced as the code lineage for newer botnet variants in the article; associated with router-to-router replication and mass scanning of vulnerable devices.
Botnet malware observed exploiting the cited UniFi OS vulnerabilities in active campaigns.
IoT botnet malware known for scanning the internet for devices with default passwords and automatically enrolling them into a botnet.
IoT botnet used to launch a multivector DDoS attack against Dyn, including DNS water torture behavior via compromised IoT devices generating pseudo-random subdomain queries.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.