Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth

Summary

Mirai malware has fragmented into over 116 branches across 21,000+ samples, spawning variants like Aisuru, KimWolf, and Satori that target IoT devices and Android systems. Botnet command-and-control server activity increased 24% in the second half of 2025, with the US now hosting more C2 infrastructure than China. Recent attacks attributed to Aisuru-KimWolf reached record scale (31.4 Tbps DDoS), though the US DOJ has disrupted several botnet networks.

Full text

Security Cyber Attacks MalwareMirai Malware Evolves into Hundreds of Variants Driving Botnet Growth Mirai malware evolves into hundreds of variants, driving botnet growth, including Aisuru and KimWolf, powering large-scale attacks, and increasing risks to vulnerable IoT devices worldwide. byDeeba AhmedMarch 25, 20262 minute read The internet connects our homes and offices, but researchers at Pulsedive and Spamhaus have found that this connectivity is increasingly being turned against us since recent data reveals a worrying trend: the number of servers used to control botnets (large networks of infected devices) jumped by 24% in the last half of 2025. For your information, a botnet is a network of malware-infected computers (bots) controlled by hackers and used in carrying out DDoS attacks to take websites down or steal private data. According to Pulsedive’s research, the United States has recently overtaken China as the primary hub for these control centres, with over 21,000 servers active by the end of 2025. “Botnet activity has surged over the last year, with Spamhaus noting 26% and 24% increases in the two six-month periods Jan – Jun 2025 and Jul – Dec 2025, respectively. This increase is associated with bots and nodes appearing in the United States,” Pulsedive’s blog post reads. Top locations for botnet C2s. (Source: Spamhaus) The Evolution of Mirai Much of this surge comes from the infamous Mirai malware, which was first identified in 2016 and scans for IoT devices like home routers and cameras running on ARC processors, a common component in these devices that often lacks proper security. Because the code for Mirai was leaked years ago, many different versions have appeared, and there are now “116 different branches from over 21,000 samples” of this software, the report reveals. One notorious version, Satori, infected over 260,000 routers by exploiting a flaw in D-Link DSL-2750B devices. Another variant, KimWolf, targets Android systems, including mobile phones and Smart TVs. These botnets are now a business; the people running them sell access to infected devices on apps like Discord or Telegram. Other botnets known to be using Mirai malware include Aisuru, Tiny Mantis, Murdoc_Botnet, Lzrd, and Resgod. As we know it, these “for-hire” services allow almost anyone to launch an attack if they are willing to pay. The many variants of Mirai (Source: Pulsedive) Record-Breaking Attacks Reported The power of these networks is truly mind-blowing. A group known as Aisuru-Kimwolf was recently linked to the largest digital attacks ever seen, including a “31.4 Terabit-per-second attack” and a flood of 14.1 billion packets per second. These attacks are particularly difficult to stop because they “randomize packet characteristics” to hide from security tools, the Pulsedive Threat Research report reveals. Criminals often use residential proxies like IPIDEA to mask their activity behind the internet addresses of regular homeowners. When authorities try to shut them down, the criminals adapt. After Google and others took down some of their infrastructure, KimWolf reportedly moved to The Invisible Project (I2P), a hidden network designed to evade detection. However, authorities are fighting back. Just last week, the US Department of Justice announced they had disrupted several botnet networks, including Aisuru, KimWolf, JackSkid, and Mossad. However, the threat remains for devices using default credentials; therefore, changing factory passwords immediately and keeping all your tech updated is essential to staying safe. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BotnetCyber AttackCyber CrimeCybersecurityDDOSIoTKimwolfMalwareMirai Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security DoorDash hit by data breach after an employee falls for social engineering scam Food delivery giant DoorDash confirms a data breach on Oct 25, 2025, where an employee fell for a social engineering scam. User names, emails, and home addresses were stolen. byDeeba Ahmed Security Cyber Attacks Sonic & Ultra signals can be used to crash Windows, Linux & hard drives It is quite common to have crashed hard drives, which is mainly caused by thermal stress due to… byWaqas Security Malware German Nuclear Power Facility Plagued with Malware since 2008 Good thing is that the servers weren’t connected to the Internet so no damage was done The Gundremmingen nuclear… byWaqas Security Gaming Malware Latest LokiBot malware variant distributed as Epic Games installer The new variant of the notorious LokiBot malware is more sophisticated and effective than its previous versions. byDeeba Ahmed

Indicators of Compromise

• malware — Mirai
• malware — Satori
• malware — KimWolf
• malware — Aisuru
• malware — Tiny Mantis
• malware — Murdoc_Botnet
• malware — Lzrd
• malware — Resgod
• malware — JackSkid
• malware — Mossad