IoT Botnet Activity Surges as Millions of Devices Remain Unpatched

Internet of Things security has been a persistent concern for over a decade, but 2026 has brought a sharp escalation. Threat intelligence firms are reporting a dramatic surge in IoT botnet activity, driven by the convergence of several factors: an expanding attack surface of internet-connected devices, continued neglect of firmware updates by both manufacturers and users, and increasingly sophisticated malware designed specifically for embedded systems.

The numbers are stark. An estimated 17 billion IoT devices are now connected worldwide, and security researchers estimate that a significant percentage of these run outdated firmware with known vulnerabilities. For botnet operators, this represents an enormous pool of recruitable nodes requiring minimal effort to compromise.

The Return of Mirai and Its Descendants

The Mirai botnet, which first gained notoriety in 2016 when it knocked major websites offline through a massive DDoS attack, never truly went away. Its source code was publicly released by its creators, spawning an ongoing lineage of variants that continue to evolve.

In early 2026, researchers identified at least four distinct new Mirai variants actively spreading across vulnerable devices. These variants share Mirai's core architecture of scanning for devices with default or weak credentials and exploiting known vulnerabilities in device firmware, but they incorporate significant enhancements.

Modern variants frequently include features absent from the original Mirai: encrypted command-and-control communications, modular exploit frameworks that can be updated remotely, persistence mechanisms that survive device reboots, and the ability to detect and remove competing malware to monopolize the compromised device.

One particularly concerning trend is the integration of zero-day exploits into IoT botnet malware. While Mirai traditionally relied on default credentials and well-known vulnerabilities, some 2026 variants have been observed using previously undisclosed flaws, suggesting that botnet operators are either discovering these vulnerabilities themselves or purchasing them from exploit brokers.

Smart Home Devices Under Siege

The proliferation of smart home devices has created a particularly attractive target class for botnet operators. IP cameras, smart doorbells, connected thermostats, voice assistants, and smart plugs are now commonplace in millions of homes. Many of these devices share common characteristics that make them vulnerable: minimal onboard security, infrequent or nonexistent firmware updates, and always-on internet connectivity.

IP cameras remain the most heavily targeted device category. Many models from budget manufacturers ship with hardcoded credentials, exposed management interfaces, and unencrypted video streams. Once compromised, these devices serve dual purposes for attackers: they provide DDoS firepower and, in some cases, direct access to video feeds that can be monetized on underground markets.

Smart home hubs present an additional risk. A compromised hub can serve as a pivot point into the home network, potentially exposing other devices, including computers and phones, to further attack. Researchers have documented cases where botnet malware on a smart home hub was used to intercept network traffic and harvest credentials for online accounts.

Vulnerable Device Categories

• IP cameras and video doorbells: Widely targeted due to weak default security and high availability. Many models run stripped-down Linux with known vulnerabilities.
• Consumer routers: Often running years-old firmware with unpatched vulnerabilities. Compromised routers give attackers a strategic position for traffic interception and network-wide attacks.
• Network-attached storage (NAS): Devices with significant processing power and storage, making them valuable botnet nodes and targets for ransomware.
• Smart TVs and media players: Increasingly connected devices with large attack surfaces and poor update practices.
• Industrial sensors and controllers: IoT devices in operational technology environments, where compromise can have physical consequences beyond data loss.

IoT-Powered DDoS Reaches Record Levels

The primary use of IoT botnets remains distributed denial-of-service attacks, and the scale continues to grow. DDoS mitigation providers have reported multiple attacks exceeding 3 Tbps in the first months of 2026, with IoT botnets responsible for the majority of this traffic.

Attack techniques have also evolved. While volumetric floods remain common, IoT botnets are increasingly used for application-layer attacks that are harder to mitigate. By distributing low-volume, seemingly legitimate requests across hundreds of thousands of devices, attackers can overwhelm web applications without triggering volumetric detection thresholds.

Beyond DDoS, IoT botnets are being repurposed for other activities including cryptocurrency mining, proxy services for anonymizing malicious traffic, credential stuffing campaigns, and spam distribution. The versatility of a large botnet makes it a valuable commodity in the underground economy.

The Manufacturer Accountability Gap

A fundamental challenge in IoT security is the misalignment of incentives. Device manufacturers compete primarily on features and price, with security often treated as an afterthought. Many budget IoT devices are produced by manufacturers who provide no mechanism for firmware updates, offer no security advisories, and may not even maintain a web presence where vulnerabilities could be reported.

Regulatory efforts are beginning to address this gap. The EU Cyber Resilience Act, which entered its enforcement phase in 2026, imposes security requirements on manufacturers of connected devices sold in the European market. These include mandatory vulnerability disclosure processes, security update obligations, and minimum security standards for default configurations.

In the United States, the voluntary IoT cybersecurity labeling program has gained some traction, with major retailers beginning to highlight labeled products. However, the voluntary nature of the program limits its effectiveness. Legislative proposals for mandatory IoT security standards remain under discussion but have not yet been enacted.

Even when manufacturers do release patches, the update pipeline for IoT devices remains unreliable. Many devices lack automatic update capabilities, requiring users to manually download and install firmware, a process most consumers never undertake. Devices that do support automatic updates sometimes fail to apply them due to connectivity issues, storage limitations, or compatibility problems.

Protecting Yourself and Your Network

While the systemic issues in IoT security require industry-wide solutions, individual users and organizations can take meaningful steps to reduce their exposure:

• Change default credentials immediately: Every IoT device should have its default username and password changed upon installation. Use unique, strong passwords for each device.
• Segment your network: Place IoT devices on a separate network segment, such as a guest VLAN, isolated from computers and phones that handle sensitive data. Many consumer routers support guest network features that can serve this purpose.
• Keep firmware updated: Check for firmware updates regularly and apply them promptly. Enable automatic updates where available.
• Disable unnecessary features: Turn off UPnP, remote management, and other features that are not actively needed. Each enabled feature is a potential attack surface.
• Research before purchasing: Prefer devices from manufacturers with a track record of providing security updates. Check whether the manufacturer has a vulnerability disclosure program and how long they commit to supporting the device.
• Monitor network traffic: Use network monitoring tools to identify unusual traffic patterns from IoT devices. A smart lightbulb generating significant outbound traffic is a red flag.
• Replace end-of-life devices: Devices that no longer receive security updates should be replaced or disconnected from the network entirely.

The IoT botnet problem is not going away. The number of connected devices continues to grow far faster than security practices improve. Until manufacturers are held to meaningful security standards and users adopt basic security hygiene for their connected devices, IoT botnets will remain a potent weapon in the attacker's arsenal. The question for defenders is not whether their network contains vulnerable IoT devices, but how many, and what they are doing about it.