While analyzing the notorious Mirai malware, researchers discovered what they claim to be a new and sophisticated worm designed to target Internet of Things (IoT) devices.
The security research group at Boulder, CO-based Internet services company Rapidity Networks set up some honeypots in hopes of capturing a Mirai sample. However, their traps have caught what they believe to be a new IoT worm that behaves similarly to Mirai.
Since “Mirai” is the Japanese word for “future,” the company has decided to name the new piece of malware “Hajime,” which in Japanese can mean “beginning.”
The first sample was discovered by Rapidity Networks in the wild on October 5, but the timestamp of a configuration file suggests that the threat has been around since at least September 26. In addition, one of the libraries used by the malware is dated before 2013, which experts believe could indicate that Hajime has been in development for several years.
Similar to Mirai, Hajime scans the Internet in search of devices running the Telnet service and attempts to access them using a predefined list of common username and password combinations.
Unlike Mirai, which relies on command and control (C&C) servers, Hajime uses a decentralized, peer-to-peer (P2P) network to receive updates and configuration files. According to Rapidity, the worm uses BitTorrent’s DHT (Distributed Hash Tables) protocol for peer discovery and the uTorrent Transport Protocol (uTP) for data exchanges.
“For information exchange, Hajime piggybacks on BitTorrent’s DHT overlay network,” researchers explained. “To transfer files with its peers, Hajime uses the uTP implementation found in libutp. Hajime downloads files in a custom format which often contain payloads compressed with the LZ4 algorithm, and thus includes the decompression function from the LZ4 project.”
Rapidity Networks has only spotted one Hajime module in the wild, which the worm uses to spread from one device to another. The purpose of the botnet remains unclear, but experts believe it can be used for DDoS attacks, as a distribution platform for other payloads, or to steal sensitive data from other machines housed by the same network as the Hajime-infected device.
There is also the possibility that Hajime is part of a research project, similar to the “vigilante malware” named Wifatch.
Based on the number of Hajime attack attempts recorded by its honeypots, Rapidity believes the malware may have infected somewhere between 130,000 and 185,000 IoT devices.
While there are some similarities between Hajime and Mirai, there is no evidence that the two are connected. Researchers speculated that the new worm might be trying to pass off as Mirai in hopes of not drawing too much attention to itself.
It’s unclear who developed Hajime, but based on its analysis, Rapidity has concluded that the author is an individual or group familiar with the C programming language, ARM/MIPS assembly language, cryptography, network protocols and the limitations of low-memory systems.
Internal naming conventions suggest an English speaker, while timestamps show that the developers were most active in timeframes that would point to someone located in Europe.
Related: Mirai Increasingly Used for DDoS Attacks After Source Code Leak
Related: MITRE Offers $50,000 for Rogue IoT Device Detection

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
