Mirai Botnets - Evolving DDoS and Proxy Abuse Threats

What Happened

Over the past year, the internet has witnessed a sharp rise in botnet-driven threats, primarily linked to the notorious Mirai malware family. Originally discovered in 2016, Mirai was designed to scan for vulnerable Internet of Things (IoT) devices, particularly those running on ARC processors. Attackers exploit known security flaws or use default credentials to gain access. What started as a tool for launching Distributed Denial of Service (DDoS) attacks has evolved into a vast ecosystem with numerous active variants targeting millions of devices worldwide.

The public release of Mirai's source code has allowed countless cybercriminals to create their own versions. According to Spamhaus, there was a 26% increase in botnet command and control (C2) servers in the first half of 2025, followed by another 24% rise in the latter half. This surge has pushed the United States to surpass China as the country hosting the most botnet C2 servers, a title China held since late 2023.

Who's Behind It

Researchers from Pulsedive have identified several active Mirai-based botnets, with Aisuru and Kimwolf being the most destructive. Together, they have compromised between one and four million hosts globally. Cloudflare reports that these botnets are responsible for some of the largest DDoS attacks ever recorded, including a staggering 31.4 terabits per second flood. This level of attack capability far exceeds earlier Mirai variants, demonstrating the increasing sophistication and danger of these botnets.

The operators behind Aisuru and Kimwolf have transformed their infrastructure into a criminal enterprise, selling access to compromised devices via platforms like Discord and Telegram. Despite law enforcement efforts, including a recent announcement by the U.S. Department of Justice to disrupt their C2 servers, these botnets continue to adapt and thrive.

Tactics & Techniques

The Kimwolf variant specifically targets Android devices and Smart TVs, infecting approximately two million devices globally. It uses a script to download and execute malicious APK files, targeting various CPU architectures. Following disruptions to its infrastructure, Kimwolf shifted operations to The Invisible Project (I2P), a decentralized network that offers enhanced anonymity. This move illustrates how quickly these operators respond to law enforcement actions, making them harder to track.

Defensive Measures

Organizations must take proactive steps to protect against these evolving threats. Network providers often offer DDoS protection solutions capable of detecting and blocking bot-driven traffic. Here are some key actions:

• Utilize protective DNS services to filter suspicious domain queries.
• Regularly patch publicly accessible network devices, especially routers.
• Change default credentials on all networking equipment to strong, unique passwords.

By implementing these measures, organizations can better defend against the growing threat posed by Mirai-based botnets and their evolving tactics.