BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details


Global rank
32 infographic chevron month
Month rank
36 infographic chevron week
Week rank

Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining.

1 September, 2016
First seen
22 May, 2024
Last seen

How to analyze Mirai with ANY.RUN

1 September, 2016
First seen
22 May, 2024
Last seen


IP addresses
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 48
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 657
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 564
comments 0

What is Mirai malware?

Mirai is a botnet that has been targeting Internet of Things (IoT) devices since September 2016. It initially gained notoriety with denial-of-service attacks on several high-profile targets, including Krebs on Security, a blog run by the notable cybersecurity expert and journalist Brian Krebs. The botnet exploited the lack of security in IoT devices in the form of weak passwords, using them to generate massive traffic to overwhelm the target services.

The original developers, three college students from the United States, made the Mirai malware source code public in 2017 in an attempt to demonstrate their willingness to abandon criminal activity. However, this led to the creation of numerous variants of the malware, such as Hajime and Sylveon, as well as an influx of new threat actors employing these in their attacks.

Since then, the botnet has been experiencing a continuous evolution, gaining additional capabilities and exploiting new vulnerabilities found in different devices. It has been employed in numerous campaigns, by 2022 becoming one the largest botnets. According to some estimates, the Mirai malware has been used to infect over half a million IoT products.

Mirai's rise and scale can be attributed to a combination of factors. These include efficient spreading based on Internet-wide scanning and the widespread use of insecure default passwords in IoT products.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Mirai malware technical details

On the basic level, Mirai uses brute forcing to infect new devices. Here are the four stages that define its typical operation:

  • It begins by scanning the internet for vulnerable IoT devices by sending TCP probes to IPv4 addresses.
  • Once it identifies a potential victim, it attempts to log in using a list of popular credentials.
  • Upon successful login, the malware uses its loader module to download and execute a malicious program on the device. Once a device is infected, it becomes part of the botnet and begins scanning the internet for other vulnerable devices to infect.
  • Mirai then engages the infected devices to launch DDoS attacks.

The malware usually communicates with the command-and-control (C2) over the TCP protocol. Yet, there are also TLS-capable variants.

After establishing its presence on a device, Mirai kills any processes associated with the activity of other botnets, such as Gafgyt, that might have infected it prior.

Over the past years, Mirai variants have been able to infect thousands of devices by abusing various vulnerabilities. For instance, in 2020, one Mirai variant took advantage of a security flaw (CVE-2020-9054) in Zyxel NAS devices, which allowed the malware to employ special characters to inject malicious commands and take control of devices.

Another vulnerability used by Mirai, which was identified in Comtrend VR-3033 routers in 2020, was CVE-2020-10173. It enabled attackers to compromise the network managed by the router by injecting malicious commands into its authentication process.

In 2022, Mirai was observed to explore the Spring4Shell vulnerability (CVE-2022-22965) by uploading its executable to target devices’ '/tmp' folder and leveraging the 'chmod' command to launch it.

Many variants of Mirai implement modified UPX packing to complicate the analysis process of their executables and make them more lightweight.

One of the latest variants of Mirai, NoaBot, which was first spotted in 2024, leverages SSH login brute forcing capabilities. Instead of launching DDoS attacks, it turns infected devices into crypto-mining machines.

Mirai execution process

Let’s take a look at how a typical Mirai malware attack unfolds by submitting a sample of this malware to the ANY.RUN sandbox.

Mirai infects the Ubuntu system typically through exposed and vulnerable Telnet or SSH ports. Once access is gained, Mirai downloads its binary from a C2server or through a peer-to-peer network onto the infected system.

To ensure persistence, Mirai may attempt to disable security software, delete competing malware, and create copies of itself in various system directories. It may also modify system startup scripts or use cron jobs to ensure it is executed on system reboot.

The infected system starts scanning the internet for other vulnerable devices by randomly generating IP addresses and attempting to log in using the same list of default credentials, infecting more devices.

The infected device establishes a connection with a C2 server to receive instructions from the botnet operator. These instructions can include launching DDoS attacks, downloading additional payloads, or updating.

It's important to note that the exact execution chain can vary depending on the variant of Mirai and the specific configuration of the infected system.

Mirai Suricata rule in ANY.RUN Suricata rule used for detecting Mirai in ANY.RUN

Mirai malware distribution methods

Unlike most malware families, such as Remcos and NjRAT, Mirai is not distributed via phishing emails or other common attack vectors. Instead, since it is a botnet, Mirai relies on self-propagation. This allows the botnet to grow rapidly and become more powerful, enabling it to launch larger and more devastating attacks.


To protect against Mirai and its variants, it is important to ensure that all IoT devices are secured with strong, unique passwords and that any known vulnerabilities are patched as soon as possible. To conduct Mirai malware analysis to see how the latest variants operate, use the ANY.RUN sandbox.

By executing Mirai in a controlled environment, you can observe its behavior and network activity without risking infection of your own infrastructure. This will enable you to identify the vulnerabilities employed by the malware, as well as expose its C2 servers.

Sign up for ANY.RUN now – it’s free!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy