Mirai is a trojan that targets Linux servers and IoT devices running Linux-based firmware called Busybox, such as DVRs and internet protocol (IP) cameras. Its primary function is to join infected systems together to form a large botnet used to launch DDoS attacks. Security researchers determined that Mirai has evolved from previous DDoS trojans named Gafgyt, Lizkebab, BASHLITE, Bash0day, Bashdoor, and Torlus. Mirai targets a specific set of platforms including: ARM, ARM7, MIPS, PPC, SH4, SPARC, and x86. This trojan is distributed via brute-force attacks on the Telnet port (TCP 23) using a list of default credentials to gain access. Once infected, Mirai contacts its C2 server and awaits the command to either begin a DDoS attack or to launch a brute-force attack in order to propagate itself to other vulnerable devices.


  • September 2016: Mirai DDoS trojan is poised to be the next big threat to Linux servers and IoT devices. (Softpedia)
Trojan VariantsNJCCICMirai