Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Mirai

56
Global rank
28
Month rank
39 infographic chevron week
Week rank
0
IOCs

Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining.

Botnet
Type
USA
Origin
1 September, 2016
First seen
21 September, 2025
Last seen

How to analyze Mirai with ANY.RUN

Type
USA
Origin
1 September, 2016
First seen
21 September, 2025
Last seen

IOCs

IP addresses
181.225.149.247
177.188.94.100
201.238.0.244
119.123.76.233
112.86.153.79
59.94.100.185
88.238.25.110
118.36.113.109
59.178.0.251
123.11.37.128
123.175.54.196
196.185.119.41
182.246.57.58
181.5.249.167
1.70.99.13
111.92.10.204
1.48.38.194
59.178.67.110
181.225.148.219
182.247.149.144
Hashes
ad9c490813f5002cda86d665c6dd31f8df2a42abedc3cb10cefcae13e934930d
2423c19f3fa5ddc98fc8c734aea73fa477f04ed1233a8eddd00156b819e218b8
0ef44ca96baef8389c183c8d8ee77f2b92b4e97f26c7aa957e0488f0a42dc526
9938651cd4c87ed5b7f4c9837a2b46a0c2ebb75b34c325800ff0f9f95d6894ba
63c88d51ae43fe6f7bb8fe59e04c929802d60e635aa434ce3d23b3ba84c3b741
43a4a0183be4f67dc7757fd2068e7c3a604423abe3b5e71ad03b9f382a70899f
8ab38316dd9c8b70c1e4d601770ba222b4c5f342a772681e1763910be14170c4
ea8926384858a5355ea0e7d754ef801c4b03af3839c6473bc5b60fc21fa0430c
08f8e782c0fd940635f303262cc9f5b73cf58c0c95cb2410114c0332753e3461
984e3565cdf897a62523a6776c16835634be7312a415d8c36c56ce14545539d7
6f1da6623189a369e919942eda96a280333476c065f7f52dc104835e7784c7b0
d733c30cdcfa05cb279e4a8c3f7cf092d48c6c4dec7025a90f2a153b05914cee
3a7ec96897b3ebdcbfcfbd512861c1a32d0c50db51c989727141a4f9ad837aa3
67fa1fdd741361dcf8166030b0f8ba08d5783626b670e6634ec2fb12787af32e
ce277882232c954e57d5759a0f9a6a0017d55b4b5e2e5ecc582b5c5c171795dc
ffee0e6b7173221b17db16db6f57a20be846bcc0991f6788ba75dfcd3a308ebf
c721abbdeaf2852ea602291ab947efc11ee71b1563875003c0a84c153aa784d6
b79ea5e0d1a8ebed13a68bc544a60dc82dd08b9f2658b8a04e0d98bce2335d8a
36829995308538e94b3c3846142dad7a686e78b6dd1951b1b72ee889bca45bcf
e5efb3bd5132c70ee1682df8843ae4fc41c351fe1566822e9c022c95f36c3d5b
Domains
u.ilovegaysex.su
bilibili.osfc.org.cn
trannynet.adgods.uk
updatetoto.tw
n11212021020.netvigator.com
coerece.ilovegaysex.su
xsopflgg.bounceme.net
a.6mv1eyr328y6due83u3js6whtzuxfyhw.ru
daimao.dpdns.org
wither-xmr.duckdns.org
ajnetwork.ddns.net
voxelnodes.in
lm.mutao.in
softdetails.ru
xc355.bounceme.net
badworldgama.top
fluu.badworldgama.top
hoaxcalls.pw
vstress.pw
anunna.club
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 549
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 645
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4025
comments 0

What is Mirai malware?

Mirai is a botnet that has been targeting Internet of Things (IoT) devices since September 2016. It initially gained notoriety with denial-of-service attacks on several high-profile targets, including Krebs on Security, a blog run by the notable cybersecurity expert and journalist Brian Krebs. The botnet exploited the lack of security in IoT devices in the form of weak passwords, using them to generate massive traffic to overwhelm the target services.

The original developers, three college students from the United States, made the Mirai malware source code public in 2017 in an attempt to demonstrate their willingness to abandon criminal activity. However, this led to the creation of numerous variants of the malware, such as Hajime and Sylveon, as well as an influx of new threat actors employing these in their attacks.

Since then, the botnet has been experiencing a continuous evolution, gaining additional capabilities and exploiting new vulnerabilities found in different devices. It has been employed in numerous campaigns, by 2022 becoming one the largest botnets. According to some estimates, the Mirai malware has been used to infect over half a million IoT products.

Mirai's rise and scale can be attributed to a combination of factors. These include efficient spreading based on Internet-wide scanning and the widespread use of insecure default passwords in IoT products.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Mirai malware technical details

On the basic level, Mirai uses brute forcing to infect new devices. Here are the four stages that define its typical operation:

  • It begins by scanning the internet for vulnerable IoT devices by sending TCP probes to IPv4 addresses.
  • Once it identifies a potential victim, it attempts to log in using a list of popular credentials.
  • Upon successful login, the malware uses its loader module to download and execute a malicious program on the device. Once a device is infected, it becomes part of the botnet and begins scanning the internet for other vulnerable devices to infect.
  • Mirai then engages the infected devices to launch DDoS attacks.

The malware usually communicates with the command-and-control (C2) over the TCP protocol. Yet, there are also TLS-capable variants.

After establishing its presence on a device, Mirai kills any processes associated with the activity of other botnets, such as Gafgyt, that might have infected it prior.

Over the past years, Mirai variants have been able to infect thousands of devices by abusing various vulnerabilities. For instance, in 2020, one Mirai variant took advantage of a security flaw (CVE-2020-9054) in Zyxel NAS devices, which allowed the malware to employ special characters to inject malicious commands and take control of devices.

Another vulnerability used by Mirai, which was identified in Comtrend VR-3033 routers in 2020, was CVE-2020-10173. It enabled attackers to compromise the network managed by the router by injecting malicious commands into its authentication process.

In 2022, Mirai was observed to explore the Spring4Shell vulnerability (CVE-2022-22965) by uploading its executable to target devices’ '/tmp' folder and leveraging the 'chmod' command to launch it.

Many variants of Mirai implement modified UPX packing to complicate the analysis process of their executables and make them more lightweight.

One of the latest variants of Mirai, NoaBot, which was first spotted in 2024, leverages SSH login brute forcing capabilities. Instead of launching DDoS attacks, it turns infected devices into crypto-mining machines.

Mirai execution process

Let’s take a look at how a typical Mirai malware attack unfolds by submitting a sample of this malware to the ANY.RUN sandbox.

Mirai infects the Ubuntu system typically through exposed and vulnerable Telnet or SSH ports. Once access is gained, Mirai downloads its binary from a C2server or through a peer-to-peer network onto the infected system.

To ensure persistence, Mirai may attempt to disable security software, delete competing malware, and create copies of itself in various system directories. It may also modify system startup scripts or use cron jobs to ensure it is executed on system reboot.

The infected system starts scanning the internet for other vulnerable devices by randomly generating IP addresses and attempting to log in using the same list of default credentials, infecting more devices.

The infected device establishes a connection with a C2 server to receive instructions from the botnet operator. These instructions can include launching DDoS attacks, downloading additional payloads, or updating.

It's important to note that the exact execution chain can vary depending on the variant of Mirai and the specific configuration of the infected system.

Mirai Suricata rule in ANY.RUN Suricata rule used for detecting Mirai in ANY.RUN

Mirai malware distribution methods

Unlike most malware families, such as Remcos and NjRAT, Mirai is not distributed via phishing emails or other common attack vectors. Instead, since it is a botnet, Mirai relies on self-propagation. This allows the botnet to grow rapidly and become more powerful, enabling it to launch larger and more devastating attacks.

Conclusion

To protect against Mirai and its variants, it is important to ensure that all IoT devices are secured with strong, unique passwords and that any known vulnerabilities are patched as soon as possible. To conduct Mirai malware analysis to see how the latest variants operate, use the ANY.RUN sandbox.

By executing Mirai in a controlled environment, you can observe its behavior and network activity without risking infection of your own infrastructure. This will enable you to identify the vulnerabilities employed by the malware, as well as expose its C2 servers.

Sign up for ANY.RUN now – it’s free!

HAVE A LOOK AT

DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More
ACR Stealer screenshot
ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.
Read More