Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Mirai

42
Global rank
25 infographic chevron month
Month rank
23 infographic chevron week
Week rank
0
IOCs

Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining.

Botnet
Type
USA
Origin
1 September, 2016
First seen
3 July, 2026
Last seen

How to analyze Mirai with ANY.RUN

Type
USA
Origin
1 September, 2016
First seen
3 July, 2026
Last seen

IOCs

IP addresses
182.247.149.144
119.123.76.233
181.5.249.167
177.188.94.100
59.178.0.251
59.94.100.185
201.238.0.244
118.36.113.109
123.11.37.128
59.178.67.110
123.175.54.196
196.185.119.41
182.246.57.58
181.225.149.247
1.70.99.13
111.92.10.204
1.48.38.194
88.238.25.110
181.225.148.219
112.86.153.79
Domains
higher.makeup
menherabotnet.p-e.kr
femboyservicesapi.xyz
nzr.narxzz.biz.id
botnet.botnet.xd.67.flightleaks.xyz
9932.duckdns.org
jaffacakes118-is-a-stupid-nigger.online
anunna.club
a.deadnig.ga
scan.rapeme.fun
dotheneedfull.xyz
ardp.hldns.ru
hoaxcalls.pw
fksdjfaksj321bots.mybiadboats.xyz
vstress.pw
thiccnigga.me
panel.devilsden.net
xabolfpzbz.ukrainianhorseriding.com
switchnets.net
scan.casualaffinity.net
Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4719
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 9467
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7456
comments 0

What is Mirai malware?

Mirai is a botnet that has been targeting Internet of Things (IoT) devices since September 2016. It initially gained notoriety with denial-of-service attacks on several high-profile targets, including Krebs on Security, a blog run by the notable cybersecurity expert and journalist Brian Krebs. The botnet exploited the lack of security in IoT devices in the form of weak passwords, using them to generate massive traffic to overwhelm the target services.

The original developers, three college students from the United States, made the Mirai malware source code public in 2017 in an attempt to demonstrate their willingness to abandon criminal activity. However, this led to the creation of numerous variants of the malware, such as Hajime and Sylveon, as well as an influx of new threat actors employing these in their attacks.

Since then, the botnet has been experiencing a continuous evolution, gaining additional capabilities and exploiting new vulnerabilities found in different devices. It has been employed in numerous campaigns, by 2022 becoming one the largest botnets. According to some estimates, the Mirai malware has been used to infect over half a million IoT products.

Mirai's rise and scale can be attributed to a combination of factors. These include efficient spreading based on Internet-wide scanning and the widespread use of insecure default passwords in IoT products.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Mirai malware technical details

On the basic level, Mirai uses brute forcing to infect new devices. Here are the four stages that define its typical operation:

  • It begins by scanning the internet for vulnerable IoT devices by sending TCP probes to IPv4 addresses.
  • Once it identifies a potential victim, it attempts to log in using a list of popular credentials.
  • Upon successful login, the malware uses its loader module to download and execute a malicious program on the device. Once a device is infected, it becomes part of the botnet and begins scanning the internet for other vulnerable devices to infect.
  • Mirai then engages the infected devices to launch DDoS attacks.

The malware usually communicates with the command-and-control (C2) over the TCP protocol. Yet, there are also TLS-capable variants.

After establishing its presence on a device, Mirai kills any processes associated with the activity of other botnets, such as Gafgyt, that might have infected it prior.

Over the past years, Mirai variants have been able to infect thousands of devices by abusing various vulnerabilities. For instance, in 2020, one Mirai variant took advantage of a security flaw (CVE-2020-9054) in Zyxel NAS devices, which allowed the malware to employ special characters to inject malicious commands and take control of devices.

Another vulnerability used by Mirai, which was identified in Comtrend VR-3033 routers in 2020, was CVE-2020-10173. It enabled attackers to compromise the network managed by the router by injecting malicious commands into its authentication process.

In 2022, Mirai was observed to explore the Spring4Shell vulnerability (CVE-2022-22965) by uploading its executable to target devices’ '/tmp' folder and leveraging the 'chmod' command to launch it.

Many variants of Mirai implement modified UPX packing to complicate the analysis process of their executables and make them more lightweight.

One of the latest variants of Mirai, NoaBot, which was first spotted in 2024, leverages SSH login brute forcing capabilities. Instead of launching DDoS attacks, it turns infected devices into crypto-mining machines.

Mirai execution process

Let’s take a look at how a typical Mirai malware attack unfolds by submitting a sample of this malware to the ANY.RUN sandbox.

Mirai infects the Ubuntu system typically through exposed and vulnerable Telnet or SSH ports. Once access is gained, Mirai downloads its binary from a C2server or through a peer-to-peer network onto the infected system.

To ensure persistence, Mirai may attempt to disable security software, delete competing malware, and create copies of itself in various system directories. It may also modify system startup scripts or use cron jobs to ensure it is executed on system reboot.

The infected system starts scanning the internet for other vulnerable devices by randomly generating IP addresses and attempting to log in using the same list of default credentials, infecting more devices.

The infected device establishes a connection with a C2 server to receive instructions from the botnet operator. These instructions can include launching DDoS attacks, downloading additional payloads, or updating.

It's important to note that the exact execution chain can vary depending on the variant of Mirai and the specific configuration of the infected system.

Mirai Suricata rule in ANY.RUN Suricata rule used for detecting Mirai in ANY.RUN

Mirai malware distribution methods

Unlike most malware families, such as Remcos and NjRAT, Mirai is not distributed via phishing emails or other common attack vectors. Instead, since it is a botnet, Mirai relies on self-propagation. This allows the botnet to grow rapidly and become more powerful, enabling it to launch larger and more devastating attacks.

Conclusion

To protect against Mirai and its variants, it is important to ensure that all IoT devices are secured with strong, unique passwords and that any known vulnerabilities are patched as soon as possible. To conduct Mirai malware analysis to see how the latest variants operate, use the ANY.RUN sandbox.

By executing Mirai in a controlled environment, you can observe its behavior and network activity without risking infection of your own infrastructure. This will enable you to identify the vulnerabilities employed by the malware, as well as expose its C2 servers.

Sign up for ANY.RUN now – it’s free!

HAVE A LOOK AT

Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More
FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
Miolab Stealer screenshot
Miolab Stealer is a macOS malware threat designed to steal user credentials and sensitive files without raising immediate suspicion. It relies on fake system prompts and legitimate built-in tools to make malicious actions look routine. Instead of causing obvious disruption, it quietly collects valuable data and prepares it for exfiltration from the device. By blending deception with trusted macOS behavior, it increases the chance that the attack will go unnoticed in its early stages. This makes early behavioral detection critical before the theft of credentials and files is complete.
Read More
Neptune RAT screenshot
Neptune RAT is a Visual Basic .NET remote access trojan that gives attackers full control over infected Windows machines while stealing credentials from 270+ applications, hijacking cryptocurrency transactions, spying on victims in real time, and, in its most destructive mode, wiping the operating system entirely. Marketed openly on GitHub, Telegram, and YouTube as the "Most Advanced RAT," it is distributed under a malware-as-a-service model.
Read More