This study addresses the co-evolution and rapid propagation of Mirai and its major variants (Satori, Mukashi, Moobot, Sonic). We systematically analyze 15 shared vulnerability classes—such as command injection and insufficient input validation—leveraging reverse engineering, network traffic monitoring, and infection-path modeling to construct a multi-stage behavioral infection model. For the first time, we quantitatively demonstrate empirically observed phenomena: Satori infected over 250,000 devices within 12 hours (peaking at 700,000), while Mukashi exposed over 100 million Zyxel NAS devices to compromise. We propose a novel defense framework integrating vulnerability lifecycle analysis with epidemic propagation dynamics, enabling scalable, proactive IoT botnet mitigation. This work provides both theoretical foundations and practical methodologies for countering cross-variant, coordinated attacks.

Mirai is undoubtedly one of the most significant Internet of Things (IoT) botnet attacks in history. In terms of its detrimental effects, seamless spread, and low detection rate, it surpassed its predecessors. Its developers released the source code, which triggered the development of several variants that combined the old code with newer vulnerabilities found on popular IoT devices. The prominent variants, Satori, Mukashi, Moobot, and Sonic1, together target more than 15 unique known vulnerabilities discovered between 2014-2021. The vulnerabilities include but are not limited to improper input validation, command injections, insufficient credential protection, and out-of-bound writes. With these new attack strategies, Satori compromised more than a quarter million devices within the first twelve hours of its release and peaked at almost 700,000 infected devices. Similarly, Mukashi made more than a hundred million Zyxel NAS devices vulnerable through its new exploits. This article reviews the attack methodologies and impacts of these variants in detail. It summarizes the common vulnerabilities targeted by these variants and analyzes the infection mechanism through vulnerability analysis. This article also provides an overview of possible defense solutions.