Botnet
DDoS
Mozi is a P2P botnet that started in late 2019 targeting IoT devices like routers and DVRs. It spreads by exploiting weak Telnet passwords and unpatched vulnerabilities and allows attackers to run DDoS attacks, exfiltrate data and run commands on compromised devices.
Mozi evolved by combining code from known malware families like Gafgyt, Mirai, and IoT Reaper. Unlike traditional botnets with centralized C2 servers, Mozi uses a decentralized P2P network based on the DHT protocol. This makes it harder to take down as there is no single point of failure.
IoT Traffic Impact
From October 2019 to June 2020 Mozi was responsible for 90% of the IoT traffic. Its spread was facilitated by the growing number of IoT devices and often poor security such as default credentials and outdated firmware.
Recent News
In 2024 Mozi was found to have resurfaced as part of the Androxgh0st botnet with IoT-focused payloads and exploiting multiple vulnerabilities in Cisco ASA and Atlassian JIRA. This is a new development of Mozi and it’s still a threat to IoT devices worldwide.
Disable default credentials and use strong unique passwords on all IoT devices.
Update device firmware regularly.
Segment your network to isolate IoT devices from critical systems.
Watch for unusual traffic in your network.
