Since the discovery, theorists have been scrambling to explain Cosmic Mirai. Here are the leading hypotheses:
In late 2022, a massive Cosmic Mirai campaign dubbed "Andromeda Outbreak" targeted ASUS and Netgear routers with a known CVE-2021-35395 (a command injection vulnerability). Within two weeks, researchers at Unit 42 observed over 350,000 unique IPs in the botnet.
Key details from the outbreak:
The "Cosmic" lineage is not static. In 2024, researchers detected a new variant called Cosmic Mirai: Redshift, which incorporates a machine learning agent to predict which IP ranges are most likely to contain vulnerable devices based on Shodan snapshots. Instead of random scanning, Redshift uses a logistic regression model trained on six months of IoT telemetry.
We are also seeing code overlaps between Cosmic Mirai and a botnet called Stargazer, which targets satellite IoT (satIoT) devices used in agriculture and shipping container tracking. If Stargazer and Cosmic Mirai merge, we may witness the first botnet capable of hopping between terrestrial and Low Earth Orbit (LEO) satellite networks.
The "Cosmic" moniker, once metaphorical, may become literal. As humanity launches more connected devices into space—Starlink, OneWeb, lunar rovers—the attack surface extends beyond our atmosphere. A future variant of Cosmic Mirai could compromise a satellite’s ground station, then pivot to the satellite itself, reorienting its solar panels or hijacking its transponder for illicit data relay.
Since the discovery, theorists have been scrambling to explain Cosmic Mirai. Here are the leading hypotheses:
In late 2022, a massive Cosmic Mirai campaign dubbed "Andromeda Outbreak" targeted ASUS and Netgear routers with a known CVE-2021-35395 (a command injection vulnerability). Within two weeks, researchers at Unit 42 observed over 350,000 unique IPs in the botnet. cosmic mirai
Key details from the outbreak:
The "Cosmic" lineage is not static. In 2024, researchers detected a new variant called Cosmic Mirai: Redshift, which incorporates a machine learning agent to predict which IP ranges are most likely to contain vulnerable devices based on Shodan snapshots. Instead of random scanning, Redshift uses a logistic regression model trained on six months of IoT telemetry. Since the discovery, theorists have been scrambling to
We are also seeing code overlaps between Cosmic Mirai and a botnet called Stargazer, which targets satellite IoT (satIoT) devices used in agriculture and shipping container tracking. If Stargazer and Cosmic Mirai merge, we may witness the first botnet capable of hopping between terrestrial and Low Earth Orbit (LEO) satellite networks. Key details from the outbreak: The "Cosmic" lineage
The "Cosmic" moniker, once metaphorical, may become literal. As humanity launches more connected devices into space—Starlink, OneWeb, lunar rovers—the attack surface extends beyond our atmosphere. A future variant of Cosmic Mirai could compromise a satellite’s ground station, then pivot to the satellite itself, reorienting its solar panels or hijacking its transponder for illicit data relay.