Skip to content
Threat Feed
high advisory

Katana Mirai Variant Targeting Android TV Devices

Katana is a Mirai botnet variant that infects Android TV set-top boxes and compiles its own rootkit for persistence and control.

The Katana botnet is a variant of the notorious Mirai malware specifically designed to target Android TV set-top boxes. First identified in late 2025, Katana distinguishes itself from other Mirai variants by its ability to compile its own rootkit directly on infected devices. This allows the malware to achieve persistent access and evade detection more effectively. The delivery mechanism for Katana is still under investigation, but it is suspected to leverage vulnerabilities in older Android TV firmware versions or exploit weak default credentials. The primary purpose of Katana is to recruit devices into a botnet for distributed denial-of-service (DDoS) attacks and potentially other malicious activities.

Attack Chain

  1. Initial Access: The attacker exploits a vulnerability in the Android TV device's firmware or uses default credentials to gain initial access.
  2. Payload Delivery: The attacker uploads the Katana Mirai variant binary to the compromised device using wget or curl.
  3. Compilation Tools: The malware leverages pre-existing tools or downloads necessary compilation tools (e.g., gcc) to the device.
  4. Rootkit Compilation: Katana compiles its own rootkit from source code on the device. This rootkit is designed for the specific Android TV device's architecture.
  5. Persistence: The compiled rootkit is installed to ensure the malware persists across reboots and system updates. The rootkit modifies system files to auto-start the Mirai binary.
  6. Command and Control: The infected device connects to a command-and-control (C2) server to receive instructions and participate in DDoS attacks.
  7. Lateral Movement: The bot attempts to spread to other devices on the same network using known exploits or default credentials.

Impact

A successful Katana infection results in the compromised Android TV device being added to a botnet, capable of participating in DDoS attacks and other malicious activities. Infected devices may experience performance degradation, increased network traffic, and potential exposure of sensitive user data. While the exact number of victims is currently unknown, the botnet has the potential to affect a large number of users given the widespread use of Android TV devices.

Recommendation

  • Monitor network traffic for connections to known Mirai C2 servers (reference open-source threat intelligence feeds).
  • Deploy the Sigma rules provided in this brief to your SIEM to detect potential Katana infections.
  • Implement network segmentation to limit the lateral movement of compromised devices.
  • Encourage users to change default credentials on their Android TV devices and keep their firmware updated to the latest version.

Detection coverage 2

Detect Android Device Downloading Executables via Wget/Curl

high

Detects Android devices downloading executable files using wget or curl, which may indicate malware installation.

sigma tactics: initial_access techniques: T1105 sources: network_connection, linux

Detect Compilation Activity on Android

medium

Detects execution of compiler tools like gcc on Android devices, which could indicate rootkit compilation.

sigma tactics: defense_evasion techniques: T1027 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →