Mozi
Mozi is an IoT-focused peer-to-peer botnet and malware family, first observed in 2019, that reuses some Gafgyt code but is distinct in using a DHT-based P2P architecture similar in concept to Hajime. It targets routers, DVRs, NVRs, and other embedded Linux devices, spreading via Telnet brute-forcing with weak credentials and by exploiting known vulnerabilities in internet-exposed devices. Reported exploited weaknesses include Eir D1000 Wireless Router RCE, Vacron NVR RCE, CVE-2014-8361 (Realtek SDK), Netgear command injection flaws affecting R7000/R6400 and DGN1000 routers, JAWS Webserver command execution on MVPower DVR, CVE-2017-17215 (Huawei HG532), HNAP/UPnP command execution issues on D-Link devices, CVE-2018-10561 and CVE-2018-10562 (GPON routers), and CCTV/DVR RCE. Mozi uses infected nodes to provide malware download locations over HTTP, and can directly exploit targets or log in over Telnet, drop a downloader, and fetch the bot binary. Its configuration is protected with XOR obfuscation and ECDSA384 signature verification to preserve integrity in the untrusted P2P environment. Documented capabilities include DDoS attacks, bot information collection, downloading and executing payloads from URLs, self-update, and execution of system or custom commands. Analysis cited an ARM ELF v2 sample (MD5 eda730498b3d0a97066807a2d98909f3) and an earlier packed sample (MD5 849b165f28ae8b1cebe0c7430f44aff3). Multiple reports describe Mozi as a prevalent botnet abusing compromised routers and embedded devices, including infrastructure tracking that associated it with 9,427 unique C2 IP addresses in Chinese hosting environments, making it one of the most prevalent observed botnet deployments in those datasets. Additional reporting notes Mozi payloads being deployed by other botnet activity, including claims that Androxgh0st C2 logs showed Mozi IoT-focused payloads being used. Mozi is commonly discussed alongside Mirai and Gafgyt in automated campaigns targeting PHP servers, IoT devices, and cloud gateways through known vulnerabilities and misconfigurations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
10 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The sample represents a brand new P2P botnet implemented based on the DHT protocol, the last botnet which uses DHT is the Hajime, and we call it Mozi according to the characteristics of its propagation sample file name Mozi.m , Mozi.a . | The vulnerabilities used by Mozi Botnet are shown in the following table: ... CVE-2017-17215 ... Huawei Router HG532
The vulnerabilities used by Mozi Botnet are shown in the following table: ... CVE-2018-10561, CVE-2018-10562 ... GPON Routers | The sample represents a brand new P2P botnet implemented based on the DHT protocol, the last botnet which uses DHT is the Hajime, and we call it Mozi according to the characteristics of its propagation sample file name Mozi.m , Mozi.a .
The sample represents a brand new P2P botnet implemented based on the DHT protocol, the last botnet which uses DHT is the Hajime, and we call it Mozi according to the characteristics of its propagation sample file name Mozi.m , Mozi.a . | The vulnerabilities used by Mozi Botnet are shown in the following table: ... CVE-2018-10561, CVE-2018-10562 ... GPON Routers
The vulnerabilities used by Mozi Botnet are shown in the following table: ... CVE-2014-8361 ... Devices using the Realtek SDK | The sample represents a brand new P2P botnet implemented based on the DHT protocol, the last botnet which uses DHT is the Hajime, and we call it Mozi according to the characteristics of its propagation sample file name Mozi.m , Mozi.a .
Widely known Internet of Things device vulnerabilities including the Spring Cloud Gateway RCE, tracked as CVE-2022-22947, the TBK DVR-4104 and DVR-4216 command injection bug, tracked as CVE-2024-3721, and an MVPower DVR misconfiguration were also abused in botnet attacks.
Widely known Internet of Things device vulnerabilities including the Spring Cloud Gateway RCE, tracked as CVE-2022-22947, the TBK DVR-4104 and DVR-4216 command injection bug, tracked as CVE-2024-3721, and an MVPower DVR misconfiguration were also abused in botnet attacks.
Botnet attacks aimed at PHP servers involved the exploitation of PHPUnit, Laravel, and ThinkPHP Framework remote code execution flaws, tracked as CVE-2017-9841, CVE-2021-3129, and CVE-2022-47945, respectively.
Botnet attacks aimed at PHP servers involved the exploitation of PHPUnit, Laravel, and ThinkPHP Framework remote code execution flaws, tracked as CVE-2017-9841, CVE-2021-3129, and CVE-2022-47945, respectively.
Botnet attacks aimed at PHP servers involved the exploitation of PHPUnit, Laravel, and ThinkPHP Framework remote code execution flaws, tracked as CVE-2017-9841, CVE-2021-3129, and CVE-2022-47945, respectively.
“...most of the malware samples are from well-known malware families like Mirai, Gafgyt and Mozi.”
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...alongside NETGEAR-MOZI and other router-related flaws. This pattern suggests that the actor was focused on building or expanding botnets..."
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Stealth
3 techniques
Stealth
Credential Access
1 technique
Credential Access
Discovery
3 techniques
Discovery
“Aisuru rapidly compromises predictable device models… infecting thousands of devices within hours.” / “Spread: Automated scanning and exploitation of vulnerable IoT devices”
Lateral Movement
2 techniques
Lateral Movement
Command and Control
4 techniques
Command and Control
C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
"Advanced URL Filtering and DNS Security can block the command and control (C2) domain and malware hosting URLs"; "The botnet client can accept the following command and control (C2) channel commands"
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Botnet malware observed among families associated with the mapped C2 infrastructure.
An IoT botnet associated with abuse of compromised routers and embedded devices.
A competing botnet family referenced in the malware's process-kill list, indicating anti-competition behavior against other resident botnets.
An IoT botnet referenced as 'Mozi remnants' in the context of modern Mirai-era botnet variants contributing to ongoing DDoS activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.