Since then, many variants of Mirai have been observed, as attackers take the original codebase and add new exploits and functionality to it.
The first variant that exploits the Wazuh vulnerability downloads a malicious shell script that can download the Mirai payload for various CPU architectures. The Mirai variant contains the name “morte” and used command-and-control (C2) domains previously associated with a Windows-based RAT and several other Mirai variants.
The morte botnet also contains exploits for known vulnerabilities in Hadoop YARN, TP-Link Archer AX21, and ZTE ZXV10 H108L routers. Incorporating multiple exploits for IoT devices is common for Mirai but attackers can customize them.
