Introduction
Mirai-based botnets have evolved from simple IoT malware into large-scale Distributed Denial of Service (DDoS) and proxy abuse platforms. These developments now underpin record-breaking attacks and stealthy cybercrime operations.
Growth in C2 Servers
Between July and December 2025, over 21,000 Command-and-Control (C2) servers were observed. There has been a notable shift towards abusing bots as residential proxies alongside traditional DDoS use.
Larger DDoS Campaigns
The growth in botnet activity coincided with larger DDoS campaigns. Cloudflare’s Q4 2025 data highlights several “hyper-volumetric” attacks, including a significant incident of 31.4 Terabits per second (Tbps) attributed to the Aisuru-Kimwolf botnet family.
Mirai Framework
Mirai was first seen in 2016 and targets internet-connected devices running lightweight Linux with default or weak credentials. Once compromised, these IoT systems are enrolled into a botnet capable of performing high-volume UDP, TCP, and application-layer floods against chosen targets.
Derivatives and Variants
The public release of Mirai’s source code led to an explosion of variants and