
Security news site DarkReading said that the hackers behind Mayday use peer-to-peer connections to deliver instructions to infected machines.
Mayday spreads itself through PDF attachments in emails, and has the ability to evade many antivirus products. The worm has reportedly amassed thousands of infections, almost entirely in the US and Canada.
DarkReading cited security firm Damballa, which suggests that Mayday could amass a larger and more powerful botnet than Storm.
Some security vendors, however, are taking a wait-and-see approach before handing Storm's botnet crown to Mayday.
Symantec researcher Brian Ewell wrote in a company blog that he has only seen limited incidences of Mayday, or Daymay as Symantec refers to it.
"It is yet to be seen how successful the Trojan will be in terms of expanding its presence," wrote Ewell.
"Of course, it is always best to practise safe computing and that includes being wary of unsolicited email attachments."