[13] Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them.

During this phase, the attacker tries to establish a telnet connection using predetermined username and password pairs from a list of credentials.

[21] On 26 January 2018, two similar Mirai variant botnets were reported, the more modified version of which weaponizes EDB 38722 D-Link router's exploit to enlist further vulnerable IoT devices.

[22] In March 2018, a new variant of Mirai, dubbed as "OMG", has emerged to surface with added configurations to target vulnerable IoT devices and turning them into proxy servers.

New firewall rules that allow traffic to travel through the generated HTTP and SOCKS ports were added configurations to the Mirai code.

[23] Between May and June 2018, another variant of Mirai, dubbed as "Wicked", has emerged with added configurations to target at least three additional exploits including those affecting Netgear routers and CCTV-DVRs.

[24][25] In early July 2018 it was reported at least thirteen versions of Mirai malware has been detected actively infecting Linux Internet of things (IoT) in the internet, and three of them were designed to target specific vulnerabilities by using exploit proof of concept, without launching brute-forcing attack to the default credential authentication.

[27] At the end of 2018, a Mirai variant dubbed "Miori" started being spread through a remote code execution vulnerability in the ThinkPHP framework, affecting versions 5.0.23 to 5.1.31.

[31] These attacks resulted in the inaccessibility of several high-profile websites, including GitHub, Twitter, Reddit, Netflix, Airbnb and many others.

[29][33] Mirai was later revealed to have been used during the DDoS attacks against Rutgers University from 2014 to 2016, which left faculty and students on campus unable to access the outside Internet for several days at a time.

Security researcher Brian Krebs later alleged the user was indeed a student at Rutgers University and that the latter interview was given in an attempt to distract investigators.

[39] At the end of November 2016, approximately 900,000 routers, from Deutsche Telekom and produced by Arcadyan, were crashed due to failed TR-064 exploitation attempts by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices.

Krebs stated that the likely real-life identity of Anna-senpai (named after Anna Nishikinomiya, a character from Shimoneta), the author of Mirai, was actually an Indian-American Paras Jha, the owner of a DDoS mitigation service company ProTraf Solutions and a student of Rutgers University.

[44] On December 13, 2017, Paras Jha, Josiah White, and Dalton Norman entered a guilty plea to crimes related to the Mirai botnet.

[47][48] Researchers later pointed to the handle name "Nexus Zeta" as responsible for the author of new variants of Mirai (dubbed as Okiru, Satori, Masuta and PureMasuta),[49][50][22] and on August 21, 2018, an American grand jury indicted Kenneth Currin Schuchman, 20, aka Nexus Zeta, of knowingly causing the transmission of a program, information, code, and commands, and as result of such conduct intentionally causing damage without authorization to protected computers, according to the indictment filed in U.S. District Court in Anchorage,[51][52] followed by the arrest and trial of the suspect.