How the Mirai Botnet Took Down the Internet

The Mirai Botnet is one of the most infamous pieces of malware in the history of the Internet. More than just a single attack or a single strain of malicious code, Mirai represents a turning point in how cybercriminals weaponize everyday devices—routers, cameras, and other Internet of Things (IoT) hardware to disrupt global connectivity at an unprecedented scale. From the landmark 2016 attack that shook the foundations of the Internet’s infrastructure to modern variants like Murdoc that continue to exploit vulnerable IoT devices across Asia, Europe, and the Americas, Mirai remains a constant and evolving threat.

Understanding the Mirai Botnet

At its core, the Mirai Botnet is a piece of malware built to quietly take over Internet-connected devices such as home routers, IP cameras, and other IoT equipment. Once infected, these devices stop being “smart” tools for their owners and instead become obedient bots controlled remotely by attackers. Through centralized command-and-control (C2) servers, thousands of compromised devices can be instructed to act together, most commonly to launch massive distributed denial-of-service (DDoS) attacks that overwhelm online services and networks.

What truly set Mirai apart from earlier botnets was not just how it was coded, but where it looked for victims. Instead of targeting laptops or enterprise servers with traditional malware techniques, Mirai aggressively scanned the Internet for IoT devices that were poorly secured. Many of these devices were deployed with default usernames and passwords, outdated firmware, or exposed management interfaces. Mirai took advantage of this widespread neglect, turning basic configuration mistakes into an entry point for large-scale cyber attacks.

Once a device was infected, it typically showed no obvious signs of compromise. The malware ran quietly in the background, often residing only in memory, waiting for instructions. Individually, each device contributed only a small amount of traffic, but together they formed a powerful botnet capable of flooding targets with enormous volumes of data. This silent accumulation of compromised devices is what made Mirai so dangerous—and why it was able to disrupt major parts of the Internet without most device owners ever realizing their role in the attack.

Read: Why Single-Layer Email Security Is No Longer Enough

Why IoT Devices Are the Perfect Weapon

IoT devices are everywhere, embedded into homes, offices, factories, and public infrastructure. Home routers, IP cameras, smart TVs, and network appliances are designed to stay permanently connected to the Internet, often operating quietly without direct user interaction. Unfortunately, convenience is frequently prioritized over security. Many of these devices ship with weak default configurations, lack proper security hardening, and receive little to no firmware updates after deployment, leaving them exposed for years.

The Mirai Botnet exploited this widespread weakness by automating the discovery and compromise of vulnerable IoT devices at massive scale. Instead of targeting a few high-value systems, Mirai focused on quantity—searching relentlessly across the Internet for devices that were easy to break into. Once access was gained, the malware installed itself in a lightweight and stealthy manner, allowing the infected device to remain functional while secretly serving the attacker. Mirai typically compromised devices using the following techniques:

• Scanning the Internet for exposed IoT devices with open management ports
• Attempting logins using well-known default or weak credentials
• Exploiting remote code execution (RCE) vulnerabilities in unpatched firmware
• Deploying lightweight, in-memory malware to reduce detection and persistence

Because these IoT devices are always online and geographically distributed across countless networks, they are ideal for launching large-scale DDoS attacks. Individually, each device generates only modest traffic, but when thousands act in unison, they can overwhelm even large organizations and critical Internet infrastructure with sheer volume alone.

The 2016 Attack That Changed the Internet

In October 2016, the Mirai Botnet stepped into the global spotlight after being used to attack Dyn, one of the most important DNS service providers in the United States. At the time, Dyn played a critical role in translating domain names into IP addresses for thousands of major websites and online services. When Mirai-directed traffic began overwhelming Dyn’s systems, it exposed a dangerous truth: disrupting a single piece of Internet infrastructure could have far-reaching, global consequences.

By unleashing enormous volumes of malicious traffic from tens of thousands of compromised IoT devices, the Mirai Botnet effectively clogged Dyn’s DNS infrastructure. As a result, many well-known websites suddenly became unreachable—not because their own servers were attacked, but because users could no longer resolve their domain names. To everyday Internet users, it felt as if large parts of the Internet had simply vanished, highlighting how dependent modern digital life is on a few critical but often invisible services.

For many people, this incident was a wake-up call. It was the first time they experienced a widespread Internet outage caused not by technical failure or human error, but by insecure consumer devices being weaponized at scale. The 2016 Mirai attack fundamentally changed how organizations, governments, and security professionals viewed IoT security, DDoS resilience, and the fragile interconnectedness of the Internet itself.

The Source Code Leak That Fueled an Ecosystem

Earlier in 2016, the creator of Mirai made a decision that would permanently change the threat landscape: the Mirai source code was released publicly. What might have started as a single malware project instantly became accessible to anyone with basic programming skills and malicious intent. This single leak transformed Mirai from a one-time botnet into a reusable blueprint for large-scale Internet disruption.

After the source code became public, cybercriminals and opportunistic actors began modifying it to suit their own goals. New Mirai-based variants quickly appeared, each tweaked to exploit newly discovered vulnerabilities, target different brands of IoT devices, or improve attack efficiency. Some variants focused on routers, others on cameras or network appliances, while many added new DDoS techniques or stealthier execution methods. Although their internal mechanics evolved, many retained the Mirai name, signaling their shared origin.

This open availability ensured that Mirai would never truly fade away. Even as individual botnets were dismantled, new versions continued to emerge, built on the same foundation. The source code leak turned Mirai into an ecosystem rather than a single threat—one that continues to adapt alongside the Internet itself, long after the original malware was first deployed.

Modern Mirai Variants: The Murdoc Botnet

Recent security research shows that Mirai is far from a historical threat—it remains highly active and increasingly sophisticated. One notable example is the Murdoc botnet, uncovered during investigations into large-scale IoT compromise campaigns. Murdoc demonstrates how attackers continue to refine Mirai’s original techniques while expanding its reach to new devices and regions, keeping the botnet ecosystem alive and dangerous.

Murdoc is a Mirai-based variant that specifically targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, both of which are widely deployed in homes and small businesses. Instead of relying on a single infection method, Murdoc uses a flexible, multi-step attack chain designed to maximize its success rate and evade detection. The typical infection process includes:

1. Exploiting known vulnerabilities or weak credentials on exposed IoT devices
2. Executing shell scripts directly on the compromised device to prepare the environment
3. Downloading and executing an ELF-based Mirai variant tailored to the device architecture
4. Connecting to one of many distributed command-and-control (C2) servers to receive instructions

In this campaign alone, researchers identified more than 100 distinct sets of C2 servers, highlighting just how decentralized and resilient modern Mirai botnets have become. Most of the infected devices were concentrated in Malaysia, with additional infections observed in Thailand, Indonesia, Mexico, and other regions—showing that Murdoc, like Mirai itself, is a truly global threat that thrives on insecure IoT deployments worldwide.

Fileless Execution: A Stealthy Evolution

One of the most concerning aspects of modern Mirai variants is their increasing use of fileless techniques. Rather than leaving malware binaries on disk, these botnets execute payloads directly in memory. This approach provides several advantages to attackers:

• Reduced forensic evidence on the device
• Lower chance of detection by basic security tools
• Faster reinfection after reboot

In many cases, once the malware is executed, it removes itself from the file system while remaining active in memory, making detection and cleanup significantly harder.

End-of-Year DDoS Campaigns and Global Impact

Between late December 2024 and early January 2025, security researchers documented a new wave of large-scale IoT-based DDoS attacks involving Mirai and Bashlite (also known as Gafgyt) malware. These campaigns highlighted how attackers often take advantage of holiday periods, when monitoring and response teams may be reduced, to launch high-impact attacks with minimal resistance.

The attacks targeted organizations across Japan, the United States, Russia, and multiple European countries. Most of the compromised devices were wireless routers from manufacturers such as TP-Link and Zyxel, which were abused to generate different types of DDoS traffic. In addition to direct attacks, many infected devices were repurposed as SOCKS proxy servers, supporting underground proxy services that help cybercriminals hide the origin of malicious traffic and enable further criminal activities.

Record-Breaking DDoS Attacks

The scale and intensity of Mirai-based attacks have continued to escalate, reaching levels that were once considered impossible. In one of the most striking examples, Cloudflare disclosed that a Mirai-variant botnet was responsible for a 5.6 terabits-per-second UDP DDoS attack—the largest ever recorded, setting a new benchmark for attack capacity on the Internet.

The attack originated from more than 13,000 compromised IoT devices and targeted an Internet service provider in Eastern Asia. Although the assault lasted only 80 seconds, the sheer volume of traffic demonstrated how devastating IoT botnets can be when coordinated at scale. While Cloudflare’s distributed defense systems were able to mitigate the attack without noticeable downtime, the incident served as a stark reminder that not every organization has the infrastructure needed to withstand attacks of this magnitude.

How Mirai Botnets Bring Down the Internet

Mirai botnets do not damage Internet infrastructure in a physical sense. Instead, they overwhelm it logically by abusing the way online services are designed to handle traffic. By coordinating tens of thousands of compromised IoT devices at the same time, attackers can generate traffic volumes that far exceed what networks, servers, or DNS providers are built to absorb under normal conditions. When a Mirai botnet launches an attack, the sudden surge of malicious requests creates widespread disruption, including:

• Website outages, making popular platforms unreachable
• Disrupted online services, such as email, cloud apps, and APIs
• Network congestion across regions, slowing down unrelated traffic
• Collateral damage to unrelated services that share the same infrastructure

When critical Internet services like DNS providers or Internet service providers (ISPs) are affected, the impact ripples outward, causing failures far beyond the original target and exposing how interconnected and fragile—the Internet truly is.

Why Mirai Is Still a Threat Today

Despite years of public awareness and repeated high-profile incidents, Mirai remains effective because the underlying security problem has never been fully addressed. Millions of IoT devices are still deployed with minimal protection, often remaining online for years without meaningful maintenance or security updates. Many of these devices continue to suffer from the same weaknesses Mirai exploited nearly a decade ago:

• Default or weak passwords that are never changed
• Outdated firmware with known vulnerabilities
• Exposed management interfaces accessible from the Internet
• Unpatched security flaws that attackers can easily exploit

As long as insecure IoT devices remain connected to the Internet, botnets like Mirai will continue to find new hosts, ensuring that the threat never truly goes away.

The Human Factor Behind IoT Insecurity

Technical vulnerabilities alone do not explain the persistence of Mirai botnets. Human behavior plays a critical role in keeping these botnets alive and effective. Many IoT devices are installed once and then forgotten, with little consideration given to long-term security. In practice, users often:

• Skip firmware updates due to inconvenience or lack of awareness
• Ignore security advisories from manufacturers or ISPs
• Reuse passwords across multiple devices and services
• Deploy devices without changing default settings

Manufacturers also share responsibility by shipping products with insecure defaults and offering limited long-term support. This combination of human habits and weak design choices creates an environment where Mirai-like botnets can thrive.

Lessons Learned from the Mirai Botnet

The Mirai Botnet forced the Internet community to confront uncomfortable realities about security at scale. Its success was not due to advanced exploits alone, but to systemic weaknesses that had been ignored for years. Some of the most important lessons include:

1. The Internet is only as strong as its weakest devices
2. IoT security is not optional, it is foundational
3. Source code leaks can create long-lasting threat ecosystems
4. DDoS attacks can scale faster than traditional defenses

These lessons continue to influence how organizations design networks, assess risk, and prioritize resilience in an increasingly connected world.

Defending Against Mirai-Style Attacks

Eliminating Mirai entirely is unrealistic, but organizations and individuals can significantly reduce their exposure by addressing basic security hygiene. Small improvements at scale can dramatically limit the number of devices available for abuse. Key defensive measures include:

• Changing default credentials on all IoT devices
• Regularly updating firmware to patch known vulnerabilities
• Disabling unnecessary remote access and management services
• Monitoring outbound traffic for anomalies that indicate compromise
• Segmenting IoT devices from critical networks

At the Internet infrastructure level, distributed DDoS mitigation, traffic scrubbing, and resilient network design remain essential. Together, these defenses help ensure that even when Mirai-style attacks occur, their impact can be contained rather than allowed to cascade across the Internet.

The Future of Mirai and the Internet

Mirai is no longer just a piece of malware—it has become a blueprint for how large-scale IoT botnets are built and operated. Its techniques for scanning, compromising, and coordinating massive numbers of devices have influenced countless other botnets and attack frameworks, many of which extend beyond DDoS into areas such as proxy abuse, credential harvesting, and traffic anonymization. In this sense, Mirai’s legacy lives on through the methods it popularized, even when the original code is no longer used directly.

As the Internet continues to expand with billions of connected devices, the overall risk landscape grows alongside it. Smart homes, industrial IoT, and connected infrastructure all increase the potential attack surface. Without stronger security standards, better user awareness, and more responsible manufacturing practices, Mirai-like botnets will continue to emerge, evolve, and threaten the stability of the Internet—turning everyday devices into silent participants in the next generation of large-scale cyber attacks.

Read: AI and CSAM Emerge as New Challenges in Cybercrime

Conclusion

The story of how the Mirai Botnet took down the Internet is not just about a single attack or a single piece of malware. It is about systemic insecurity, rapid technological adoption, and the unintended consequences of connecting everything to the Internet. From the 2016 Dyn outage to modern Murdoc and Bashlite campaigns, Mirai has proven that small, insecure devices can have massive global impact. Understanding this threat is the first step toward building a more resilient and secure Internet for the future. As long as insecure IoT devices remain online, the Mirai Botnet and its many descendants will remain a constant shadow over the Internet.