Mirai Malware in 2025: Variant Behavior, Exploit Chains, and Mitigation Insights

Introduction

The Mirai malware family is a prominent malware family, originally released nearly a decade ago. Mirai primarily targets Internet of Things (IOT) devices, turning them into a botnet capable of launching Distributed Denial of Service (DDoS) attacks. Mirai is infamous for orchestrating some of the largest and most disruptive DDoS attacks in history, such as the attack on Dyn in 2016. 

Originally, Mirai utilized brute-force techniques against default passwords on IoT devices for initial access. The malware's general behavior includes downloading additional payloads from remote servers and executing them while employing anti-emulation techniques to evade detection. 
The source code for Mirai was publicly leaked in 2016, leading to numerous variants and a proliferation of Mirai-based botnets. This has allowed other threat actors to easily adapt and deploy their own versions.

Mirai continues to evolve and exploit various vulnerabilities for its propagation, particularly targeting IoT devices and servers like Wazuh. Recent events highlight the exploitation of critical vulnerabilities such as CVE-2025-24016 and CVE-2024-3721, enabling remote code execution via malicious API requests and crafted POST requests that execute shell scripts on vulnerable devices. Notably, since late March 2025, two distinct botnets have been observed leveraging these vulnerabilities to deliver new Mirai variants, including LZRD Mirai, which were initially reported by Akamai in June 2025. 
The ongoing exploitation of these flaws has resulted in significant campaigns targeting thousands of unpatched devices globally, emphasizing the persistent threat posed by Mirai variants in the cyber landscape.

This post highlights a few developments in the behavior and techniques used by the recent three Mirai variants.

1. Active Exploitation of Samsung MagicINFO (CVE-2024-7399) Enables Mirai Botnet Deployment via Unauthenticated File Upload.

On May 5, 2025, cybersecurity firm Arctic Wolf (@AWNetworks on X, formerly known as Twitter) published a write-up confirming active in-the-wild exploitation of CVE-2024-7399, a critical unauthenticated arbitrary file upload vulnerability in Samsung’s MagicINFO 9 Server, affecting versions prior to 21.1050. MagicINFO 9 is Samsung’s proprietary content management system (CMS) used to remotely manage, schedule, and display digital signage content across commercial environments. CVE-2024-7399 allows unauthenticated threat actors to upload arbitrary files and achieve remote code execution (RCE). In August 2024, Samsung released the MagicINFO 9 Server version 21.1050 to fix CVE-2024-7399.

On May 6, 2025, the SANS Internet Storm Center reported that threat actors had begun exploiting CVE-2024-7399 to deploy Mirai botnet malware. Mirai infects networked devices, primarily Internet of Things (IoT) systems, by exploiting weak credentials and vulnerabilities to launch large-scale distributed denial-of-service (DDoS) attacks. According to SANS Internet Storm Center’s analysis, threat actors send a POST request to a vulnerable SWUpdateFileUploader endpoint, uploading a malicious JSP web shell named “1746466018shell.jsp”. Once executed, 1746466018shell.jsp runs a payload that downloads and executes a bash script file named “ohshit.sh” from a remote IP address. ohshit.sh acts as a multi-architecture downloader, retrieving Mirai bot binaries for various CPU types (for example, x86, MIPS, ARC) and launching them with execution permissions. ohshit.sh also cleans up traces by deleting itself and related files.

Sandbox Analysis
Sandbox analysis of the Mirai botnet sample (SHA256: 3f26e58cd09804d9c38c6613fb976d8a680555f3eac38a46ef7f3927beaadd26) shared by SANS Internet Storm Center revealed that the malware exhibits discovery, defense evasion, rootkit, and botnet capabilities. The sample was packed using the open-source packer UPX. It also matched the Sandbox YARA rule for detecting the Mirai botnet family. The malware configuration extracted from the sample shows its Botnet family “LZRD”. 

Once executed, the sample performs the following actions on a victim’s machine:

• Modifies Watchdog to prevent system restart
• Enumerates running processes
  
• Retrieves runtime system information from the “/proc” virtual file system
• Attempts to connect to the IP address 176.65.142[.]122 over port 3778
  
• Detects debuggers
  
• Executes commands to trigger log rotation for specific system log files such as “/var/log/syslog”, “/var/log/mail.log”, and “/var/log/auth.log” to cover tracks of infection
  
• Executes the “systemctl” to send a hang-up (HUP) signal to the “rsyslog” service to reload or disrupt system logging for evasion
  
• Retrieves the system's kernel version using the “uname” command
  
• Terminates running processes

2. Threat Actors Exploit CVE-2024-3721 to Deliver a New Mirai Variant to DVR Devices

On June 6, 2025, Kaspersky Securelist (@Securelist on X, formerly known as Twitter) published an analysis detailing a new Mirai variant delivered through the exploitation of CVE-2024-3721. CVE-2024-3721 is an unauthenticated remote code execution (RCE) vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recorder (DVR) devices running firmware versions up to 20240412.

Kaspersky observed the activity through its Linux honeypots following the April 2024 publication of a proof-of-concept (PoC) exploit by a researcher known as “netsecfish”. The campaign targets internet-exposed DVRs across China, India, Egypt, Ukraine, Russia, Türkiye, and Brazil, with an estimated 50,000 devices still vulnerable.

Based on Kaspersky Securelist’s technical blog, the “/device.rsp” endpoint of their honeypot service received a malicious HTTP POST request exploiting CVE-2024-3721. The POST request includes a single-line shell script that performs the following actions on a Linux machine:

• Accesses the /tmp directory
  
• Removes any existing binary named “arm7”
  
• Downloads a binary named “arm7” from the URL hxxp://42.112.26[.]36/arm7
  
• Grants arm7 full permissions
  
• Executes arm7

Kaspersky Securelist identified arm7 as a new Mirai variant designed for ARM32 DVR architecture. According to Kaspersky Securelist, the new Mirai variant employs string encryption using the RC4 algorithm for obfuscation. Once executed, it performs anti-virtualization and anti-emulation checks by scanning the /proc directory and identifying processes related to VMware or QEMU-arm. It also verifies whether the binary runs from a hard-coded directory list. Once the system passes all these checks, the new Mirai variant launches its full functionality and connects to its command-and-control (C2) server to receive further instructions.

Sandbox Analysis
Sandbox analysis of the two Mirai variants 
1. 7461c0f8feac69a39586c4c1ecfeb32627c5a83043721ba0144479efc0f036a1
2. 438dc2a85e37356eefd2d40ac7bafa8c3ad273dd36991d4b155208c3a3d460b5 revealed that the samples perform the following actions on a victim’s machine

• Read runtime information and process memory from the /proc virtual filesystem
  
• Enumerate running processes
  
• Detect debuggers 
  
• Rename itself using a legitimate application’s process name for evasion
  
• Send DNS requests to mineplex[.]libre and lib[.]libre 
  
• Detects VM environments and emulators by checking for related strings in memory 
  
• Retrieves the system's kernel version using the “uname” command
  
• Scans the network for running services 
  
• Modifies Watchdog to prevent system restart

3. Two Campaigns Exploit CVE-2025-24016 to Distribute Mirai Variants on Wazuh Servers

On June 9, 2025, the Akamai Security Intelligence Group (@akamai_research on X, formerly known as Twitter) published an analysis detailing two campaigns that exploit CVE-2025-24016 to deliver Mirai variants. CVE-2025-24016 is a critical remote code execution (RCE) vulnerability affecting Wazuh server versions 4.4.0 to 4.9.0. Wazuh is an open-source security information and event management (SIEM) platform. On June 11, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24016 to the Known Exploited Vulnerabilities (KEV) catalog.

Sandbox Analysis
Sample Analysis
1. From the first campaign: 811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5d4cc
2. From the second campaign: 9d5c10c7d0d5e2ce8bb7f1d4526439ce59108b2c631dd9e78df4e096e612837b

Sandbox analysis detected the samples as malicious. Sample 1 exhibits discovery and defense evasion capabilities. Sample 1 also matched the sandbox detection rule for the Mirai family. Once executed, the samples perform the following action on a victim’s machine:

• Change their process name for evasion
  
• Executes the "systemctl" command to manage systemd services
  
• Rotates log files for the “Syslog” and Common Unix Printing System (CUPS) services, restart the CUPS service, and reload rsyslog's configuration after log rotation; this manipulation of logs and use of the CUPS service could be performed for defense evasion in an attempt to hide evidence of malicious activity or related to persistence or privilege escalation attempts
  
• Enumerates running processes
  
• Scans the network for remotely running services

Sample 1 performs the following actions on a victim’s machine:

• Modifies Watchdog to prevent system restart
  
• Accesses the /proc virtual filesystem to enumerate active TCP sockets, retrieve network settings, collect runtime system information, and read process memory
  
• Sends a DNS request to jimmyudp-raw[.]xyz over port 60195; jimmyudp-raw[.]xyz resolves to the IP address 209.141.34[.]10 

Sample 2 performs the following actions on a victim’s machine:

• Detects debuggers
  
• Detects virtual machine (VM) environments and emulators by checking for related strings in memory
  
• Retrieves the system's kernel version using the “uname” command
  
• Sends a malicious UPnP SOAP request to a Huawei router's “DeviceUpgrade_1” endpoint using default credentials to exploit command injection via “NewStatusURL, downloading a file named “resgod.mips” from hxxp://104.168.101[.]27, saving it inside /tmp/.kx, and executing it
  
• Sends a malicious UPnP SOAP request to a vulnerable device to open TCP port 47450 and execute a shell command that downloads resgod.mips from the same URL and runs it
  
• Sends a crafted HTTP POST request exploiting command injection via the “remote_host” parameter to execute shell commands that download the “resgod.arm7” binary from the same URL, save it inside /tmp, execute it, and delete it to evade detection

Additionally, sample 1 contains the strings “We got this shit already" and "xXxSlicexXxxVEGA," and sample 2 contains the string “Resentual Got You!”.

Recommendations

• Defending against Mirai primarily involves securing your Internet of Things (IoT) devices and network infrastructure
• Keep the operating system and installed software in the system and server updated.
• Change all internet-connected devices’ default credentials.
• Isolate your IoT devices from your critical networks and implement strict firewall rules
• Disable Unnecessary Services such as Telenet or remote administration services
• Monitor unusual network activity, especially from your IoT devices.