{
	"id": "2dd4115a-3e65-473b-839b-04646890a3fc",
	"created_at": "2026-04-06T00:12:48.94446Z",
	"updated_at": "2026-04-10T03:20:49.311638Z",
	"deleted_at": null,
	"sha1_hash": "64a0c3e739fdffbb3546567bfb82448d84d6a969",
	"title": "Mirai Malware for Linux Double Down on Stronger Chips | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1974074,
	"plain_text": "Mirai Malware for Linux Double Down on Stronger Chips |\r\nCrowdStrike\r\nBy Vlad Ciuleanu\r\nArchived: 2026-04-05 19:52:47 UTC\r\nAccording to CrowdStrike research, Mirai malware variants compiled for Intel-powered Linux systems\r\ndouble (101%) in Q1 2022 compared to Q1 2021\r\nMirai malware variants that targeted 32-bit x86 processors increased the most (120% in Q1 2022 vs. Q1\r\n2021)\r\nMirai malware is used to compromise internet-connected devices, amass them into botnets and use their\r\ncollective power to conduct denial of service attacks\r\nMirai variants continuously evolve to exploit unpatched vulnerabilities to expand their attack surface\r\nPopular for compromising internet-connected devices and conducting distributed denial of service (DDoS) attacks,\r\nMirai malware variants have been known to compromise devices that run on Linux builds ranging from mobile and\r\nInternet of Things (IoT) devices to cloud infrastructures.\r\nAccording to internal and open-source data analyzed by the CrowdStrike malware research team, while the ARM\r\nCPU architecture (used in most mobile and IoT devices) remains the most prevalent among Mirai variants, the\r\nnumber of 32-bit x86 Mirai variants (used on Linux servers and networking equipment) increased by 120% in Q1\r\n2022 compared to Q1 2021. ARM-compiled variants increased by only 10% during the same timespan, according to\r\ninternal and open-source data analyzed by CrowdStrike researchers. On average, the number of Mirai variants\r\ncompiled for both 32- and 64-bit x86 CPU architectures has increased by 101% during the same timespan.\r\nFrom a malware developer perspective, focusing on compiling variants for the x86 monoculture rather than all of\r\nthe CPU architectures used by Linux-running IoT devices likely involves less effort from a code maintenance\r\nstandpoint, while expanding the attack surface to include Linux-running devices with more computing power.\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 1 of 7\n\nFigure 1. Mirai variants distribution based on builds compiled for specific CPU architectures (Q1 2021 vs Q1 2022)\r\nWhy Linux Botnets?\r\nThe Linux operating system powers most of the world’s data centers, web servers and cloud services, and also a\r\nwide range of network, mobile and IoT devices. Regardless of the CPU architecture powering these devices, their\r\nsheer volume creates a very large attack surface for threats and cybercriminals to amass these devices into massive\r\nbotnets and use them for launching denial of service attacks. Botnets are the result of malware that automatically\r\nreplicates and spreads to vulnerable devices, enabling botmasters to seize remote control over all compromised\r\ndevices. The most common use for botnets, apart from performing DDoS, involves using them as proxy servers or\r\nfor cryptocurrency mining; each activity is bad in its own way. For more information on botnets and how they work\r\nand how to protect against botnets, check out this CrowdStrike Cybersecurity 101 page.\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 2 of 7\n\nFigure 2. Example of Centralized Client-Server botnet infrastructure\r\nMirai Is Constantly Evolving\r\nWhat's special about Mirai is that its source code and instructions on how to set the botnet were made public in late\r\n2016 by its developer, and traces of that original code can now be found in multiple recent Mirai variants.\r\nWhile brute-force attacks to log in to internet-connected devices remain a preferred method for spreading various\r\nMirai variants, going for devices with high-bandwidth, low-latency internet connections and higher computing\r\npower requires new methods for compromise, moving away from smart devices to more powerful Linux-running\r\ndevices. Many of the original Mirai features have made their way to existing variants, such as setting up signal-based control flow to make dynamic analysis harder; self-deleting the executable; changing the process name and\r\nthe command line to avoid detection; preventing system reboot; stopping processes associated with remote\r\nadministration tools like SSH and Telnet; stopping “competing” malware processes; and searching for new targets to\r\ninfect. But, newer variants have slightly different implementations or add new exploit capabilities to increase the\r\nattack surface. For example, whenever a new exploit becomes public, such as the recent Log4j vulnerability, it’s\r\nquickly integrated by malware developers into various Mirai variants. The Log4j logging library is used by\r\ncountless applications and is not limited to applications running on a specific operating system or CPU architecture.\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 3 of 7\n\nFigure 3. Mirai variant exploiting the Log4Shell vulnerability\r\n(8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e)\r\nAs seen in Figure 3, the vulnerable application (in this case, a networking device) will load and instantiate a Java\r\nclass found at the attacker's IP address and execute whatever code the attacker put in it.\r\nCrowdStrike Falcon® Protection for Linux\r\nMinimum recommendations for preventing Mirai infection on IoT devices involve using custom passwords, updated\r\nsoftware and recent hardware, if possible.\r\nSince Linux is one of the primary operating systems for business critical applications and infrastructures —\r\nregardless of if on-premises or in private and public clouds — it’s critical to protect these systems with a solution\r\nthat provides protection and visibility across all Linux workloads, regardless of location.\r\nThe CrowdStrike Falcon®® platform protects Linux workloads, including containers, whether they run in public\r\nand private clouds, on-premises or in hybrid data centers. To effectively detect and protect against Mirai variants,\r\nCrowdStrike researchers continuously analyze and understand how they operate and how they continue to evolve to\r\nbuild better automated detection capabilities.\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 4 of 7\n\nFigure 4. CrowdStrike Falcon® detects Mirai x86 upx-packed Linux sample using on-sensor machine learning\r\n(3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d) (Click to enlarge)\r\nMachine learning (on sensor and in the cloud), behavior-based indicators of attack (IOAs) and custom hash\r\nblocking — all built into the Falcon platform — can help defend Linux workloads against malware and\r\nsophisticated threats, offering complete visibility and context into any attack on Linux workloads.\r\nIndicators of Compromise (IOCs)\r\nVariant Platform Hash\r\nNotable\r\nfeatures\r\nOriginal x86 0a38acadeb41536f65ed89f84cc1620fb79c9b916e0d83f2db543e12fbfd0d8c\r\nDebug\r\nsymbols\r\nGreek\r\nHelios\r\nx86 bc5f1b69b6edfd58a56b104568cb73fe74ccefea6651b1a1bcf7613331b56597\r\nModified\r\nproc killer,\r\nends\r\n“competing”\r\nMirai\r\nvariants\r\nOriginal x86 upx 3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d Upx\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 5 of 7\n\nMiori x86-64 58d2db0bc8d93a30101eb87ef28c7dbf1af61ae2ebc355f6a236ab594a236f4b\r\nLarger\r\nencrypted\r\nstring table\r\nModified\r\nSatori\r\narm e666e0c720387db27e23c65d6a252f79587ca1b9d1c38e96d6db13b05d5b73fa\r\nDebug\r\nsymbols,\r\nexploit for\r\nHuawei,\r\nGPON\r\nrouters +\r\njaws web\r\nserver.\r\n2022\r\nlog4j\r\narm 3d604ebe8e0f3e65734cd41bb1469cea3727062cffc8705c634558afa1997a7a\r\nMultiple\r\nrouter\r\nexploits +\r\nthinkPHP,\r\njaws, log4j\r\nexploit\r\nCross\r\nbreed\r\narm upx ac13002f74249e0eab2dacb596a60323130664b8c19d938af726508fdc7500a2\r\nMirai's\r\nencrypted\r\nstring table,\r\ndebug\r\nsymbols\r\nMirai +\r\nMozi\r\nMIPS 2067f740253b010d7a7b01dedee9ee897fb4255b9fc10f76f5ea9f6fd165bde6\r\nUpx with\r\nbroken\r\nmagic,\r\np_info and\r\npadding at\r\nthe end to\r\nprevent\r\nunpacking.\r\nContains\r\nexploits for\r\na variety of\r\nrouters and\r\nweb servers.\r\nCross-breedx86-64\r\nupx\r\nd1a71eed917cc23729f04fb6fb630209878419aef404ebe940dea8eccaac68de Minimalist\r\nmain, uses\r\nMirai's\r\nkiller,\r\ngafgyt's\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 6 of 7\n\ntables,\r\nfunctions\r\nbroken into\r\npieces,\r\nheavily\r\nmodified\r\ncontrol flow\r\nAdditional Resources\r\nRead more about the increase in malware targeting Linux-based operating systems in this blog: Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent.\r\nRead this press release about CrowdStrike Falcon®’s enhanced Linux protection.\r\nFind out how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers, data and identities.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nhttps://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/"
	],
	"report_names": [
		"linux-mirai-malware-double-on-stronger-chips"
	],
	"threat_actors": [],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64a0c3e739fdffbb3546567bfb82448d84d6a969.pdf",
		"text": "https://archive.orkl.eu/64a0c3e739fdffbb3546567bfb82448d84d6a969.txt",
		"img": "https://archive.orkl.eu/64a0c3e739fdffbb3546567bfb82448d84d6a969.jpg"
	}
}