Mirai 'Okiru' botnet targets billions of ARC-based IoT devices
Researchers suggest the variant could 'change the landscape of Linux IoT infection'

A new variant of the Mirai malware attacking IoT devices using ARC-based processors has been discovered, considered to be the first of its kind with billions of potential targets.
The malware, known as 'Mirai Okiru', is thought to be a variant of the infamous Mirai botnet that hijacked hundreds of thousands of internet-enabled devices in 2016. Github, Twitter, Reddit, Netflix, Airbnb and others were taken down during the campaign, as well as DNS provider Dyn and services used by institutions such as Rutgers University.
Researchers at white hat security group MalwareMustDie, the same collective that first identified the Mirai malware, believe the variant has been specifically designed to attack devices using Argonaut RISC Core (ARC) embedded processors, shipped in more than 1.5 billion IoT devices each year.
An independent security researcher known as Odisseus on Twitter, who first raised the alarm to the new variant, said that the discovery would "change the landscape of Linux IoT infection".
What's particularly concerning is that it's thought to be the first of its kind to target ARC-embedded products, such as smart devices for use in the car or the home, infecting a range of devices previously considered immune.
It's the latest attempt to create an altered version of the highly disruptive Mirai malware, the source code for which was released publicly online in 2016.
Last month hackers released the code for a separate Mirai variant known as Satori, which was used to exploit a zero-day vulnerability in a Huawei router model, infecting more than 280,000 devices in 12 hours.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
It's not entirely clear how many devices are currently affected by the Okiru strain. Currently, only 20 of 58 leading antivirus suites are able to block the Okiru variant, according to VirusTotal, with tools such as Malwarebytes, Bitdefender, Webroot, and Microsoft's own scanners unable to detect the malware.
Barry Shteiman, director of threat research at Exabeam, said that the discovery should help analysts understand just how quickly IoT devices can be infected.
"There are likely more than 1.5 billion devices out there with ARC processors, enough to overwhelm the largest of networks," said Shteiman. "The best way to illuminate this attack risk is to monitor the behaviour of IoT devices in much the same way as actual human users. If you can't directly protect and manage the devices on your network, you must understand what normal behaviour for the devices looks like; then it's possible to get an early indication of when a device has been highjacked by hackers and is likely being used for malicious means."
Last month, three hackers in their early 20s admitted to being behind the original Mirai malware following an FBI investigation.
Picture: Shutterstock
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.
-
Why are many men in tech blind to the gender divide?
In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
By Keri Allan
-
BenQ PD3226G monitor review
Reviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
By Sasha Muller
-
UK crime fighters wrangle “several thousand” potential cyber criminals in DDoS-for-hire honeypot
News The sting follows a recent crackdown on DDoS-for-hire services globally
By Ross Kelly
-
US begins seizure of 48 DDoS-for-hire services following global investigation
News Six people have been arrested who allegedly oversaw computer attacks launched using booters
By Zach Marzouk
-
Will triple extortion ransomware truly take off?
In-depth Operators are now launching attacks with three extortion layers, but there are limitations to this model
By Connor Jones
-
GoDaddy web hosting review
Reviews GoDaddy web hosting is backed by competitive prices and a beginner-friendly dashboard, and while popular, beware of hidden prices
By Daniel Blechynden
-
Japan investigates potential Russian Killnet cyber attacks
News The hacker group has said it’s revolting against the country’s militarism and that it’s “kicking the samurai”
By Zach Marzouk
-
LockBit hacking group to be 'more aggressive' after falling victim to large-scale DDoS attack
News The ransomware group is currently embroiled in a battle after it leaked data belonging to cyber security company Entrust
By Connor Jones
-
Record for the largest ever HTTPS DDoS attack smashed once again
News The DDoS attack lasted 69 minutes and surpassed the previous record of 26 million RPS
By Praharsha Anand
-
Cloudflare unveils new One Partner Program with zero trust at its core
News Cloudflare CEO Matthew Prince says the initiative aims to take the complexity out of zero trust architecture
By Daniel Todd