Mirai malware has spawned 116 variants, fueling a 24% surge in botnet servers—with the US now the top hub. Learn about record 31.4 Tbps attacks and how to stay safe.

Continue reading
Botnet activity surged by 24% in the second half of 2025, driven by an explosion of Mirai malware variants that now number 116 distinct branches derived from over 21,000 samples. The United States has overtaken China as the primary host for botnet command‑and‑control (C2) servers, with more than 21,000 active servers located on US soil by the end of the year, according to fresh data from researchers at Pulsedive and Spamhaus.
The findings paint a picture of a threat that has evolved from a single 2016 IoT worm into a sprawling, commoditization criminal industry—capable of launching the largest distributed denial‑of‑service (DDoS) attacks ever recorded.
> “Botnet activity has surged over the last year, with Spamhaus noting 26% and 24% increases in the two six‑month periods … associated with bots and nodes appearing in the United States.” > — Threat Research
Mirai first emerged in 2016, scanning for IoT devices—routers, cameras, and smart appliances—that relied on ARC processors and were protected only by factory‑default credentials. When its source code was leaked, it became a blueprint for countless adversaries.
Today, that blueprint has yielded:
Each variant introduces new targets, evasion methods, or monetization strategies, turning the original malware into a persistent, adaptable threat.
The botnets built on these variants have achieved staggering scale. A group known as Aisuru‑Kimwolf was tied to what are believed to be the largest DDoS attacks ever seen:
To evade detection, attackers now:
When authorities or tech companies dismantle their C2 servers, the groups quickly adapt. After Google and others disrupted parts of KimWolf’s infrastructure, operators migrated to The Invisible Project (I2P) —a dark‑net layer designed to resist surveillance and takedown attempts.
The ecosystem has professionalized. Operators sell access to their infected device networks—often branded as “stresser” or “booter” services—directly on Discord and Telegram. This commoditization allows anyone to rent DDoS firepower by the hour, lowering the barrier to entry for cyberattacks.
Despite the scale, authorities are mounting counter‑operations. Just last week, the US Department of Justice announced the disruption of several major botnet networks, including:
These takedowns signal increased pressure, but they do not eliminate the root vulnerability that makes Mirai so persistent.
For all the sophistication of modern Mirai variants, the primary entry point remains the same as in 2016: default usernames and passwords on IoT devices. Researchers emphasize that until users change factory credentials and apply firmware updates, the botnet economy will continue to regenerate.
> “Changing factory passwords immediately and keeping all your tech updated is essential to staying safe.” > — Threat Research
Mirai’s evolution from a single 2016 worm to a sprawling family of 116 variants—fueling a 24% surge in botnet servers and record‑breaking attacks—illustrates how leaked code can birth a lasting cybercriminal economy. With the United States now the top host for command‑and‑control infrastructure, the threat is geographically closer than ever. Yet the most effective defense remains the simplest: replace default credentials and update devices promptly.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation