Mirai

Mirai is an IoT botnet first seen in August 2016, built by three American college-age developers to power a Minecraft DDoS-for-hire business. It spread by scanning for devices with open telnet ports and brute-forcing logins using a table of 62 default credentials common to IP cameras, routers, and DVRs. At its peak it controlled roughly 380,000 devices. In September 2016 it hit security journalist Brian Krebs with a 620 Gbps attack, then followed with a 1+ Tbps attack on hosting provider OVH. On October 21, 2016, an attack on DNS provider Dyn knocked Twitter, Reddit, Netflix, Amazon, and dozens of other major platforms offline for most of a day.

The source code went up on HackForums on September 30, 2016. That single release turned one botnet into an open-source framework anyone could fork, and the variant count took off. Cloudflare identified 33 independent C2 clusters running their own Mirai forks within weeks. Variants like Satori, Moobot, MANGA, and dozens more each bolted on new device exploits while keeping the core scanning and attack architecture intact. The original authors pleaded guilty in December 2017 and received probation after cooperating extensively with the FBI.

The bot is written in C and compiled for seven architectures including ARM, MIPS, x86, SPARC, and PowerPC, covering the range of processors found in embedded devices. On infection it deletes its binary, randomizes its process name, and runs entirely from memory. A killer module terminates competing malware and locks down SSH and telnet to block reinfection. The C2 server, written in Go, accepts bot connections over a binary TCP protocol. Attack commands cover TCP SYN and ACK floods, UDP floods with DNS amplification, GRE floods, and HTTP layer-7 attacks. Modern variants have added RC4 string encryption, anti-VM checks, and cryptomining payloads on top of the DDoS core.

C2 infrastructure across the modern Mirai ecosystem leans on free dynamic DNS services. DuckDNS is the most common. Operators skew young and technically unsophisticated, running forks of the leaked source with minimal changes. C2 domains are short-lived and scattered across budget VPS providers worldwide. The high sample-to-host ratio in the wild reflects how trivially the source recompiles for different architectures with minor config tweaks.

Close to a decade after the source leak, Mirai derivatives are still one of the most active botnet families in the wild. The target surface has grown well past the original IP cameras and home routers to include Android TVs, NAS appliances, enterprise network gear, and industrial monitoring systems. New variants regularly fold in fresh CVEs within days of disclosure. The Aisuru variant, spreading mainly through compromised Android TVs, launched a 31.4 Tbps DDoS attack in December 2025 - the largest ever publicly recorded.