Last seven days
- First activity
- Jul 13, 2026
- Last activity
- Jul 18, 2026
- Feed role
- Distribution
- Host form
- 125 IP / 0 hostnames
Mozi is an IoT-focused peer-to-peer botnet and malware family, first observed in 2019, that reuses some Gafgyt code but is distinct in using a DHT-based P2P architecture similar in concept to Hajime.
Profile source: Mallory opens in a new tabMozi
Mozi is an IoT-focused peer-to-peer botnet and malware family, first observed in 2019, that reuses some Gafgyt code but is distinct in using a DHT-based P2P architecture similar in concept to Hajime. It targets routers, DVRs, NVRs, and other embedded Linux devices, spreading via Telnet brute-forcing with weak credentials and by exploiting known vulnerabilities in internet-exposed devices. Reported exploited weaknesses include Eir D1000 Wireless Router RCE, Vacron NVR RCE, CVE-2014-8361 (Realtek SDK), Netgear command injection flaws affecting R7000/R6400 and DGN1000 routers, JAWS Webserver command execution on MVPower DVR, CVE-2017-17215 (Huawei HG532), HNAP/UPnP command execution issues on D-Link devices, CVE-2018-10561 and CVE-2018-10562 (GPON routers), and CCTV/DVR RCE. Mozi uses infected nodes to provide malware download locations over HTTP, and can directly exploit targets or log in over Telnet, drop a downloader, and fetch the bot binary. Its configuration is protected with XOR obfuscation and ECDSA384 signature verification to preserve integrity in the untrusted P2P environment. Documented capabilities include DDoS attacks, bot information collection, downloading and executing payloads from URLs, self-update, and execution of system or custom commands. Analysis cited an ARM ELF v2 sample (MD5 eda730498b3d0a97066807a2d98909f3) and an earlier packed sample (MD5 849b165f28ae8b1cebe0c7430f44aff3). Multiple reports describe Mozi as a prevalent botnet abusing compromised routers and embedded devices, including infrastructure tracking that associated it with 9,427 unique C2 IP addresses in Chinese hosting environments, making it one of the most prevalent observed botnet deployments in those datasets. Additional reporting notes Mozi payloads being deployed by other botnet activity, including claims that Androxgh0st C2 logs showed Mozi IoT-focused payloads being used. Mozi is commonly discussed alongside Mirai and Gafgyt in automated campaigns targeting PHP servers, IoT devices, and cloud gateways through known vulnerabilities and misconfigurations.
Samples
Reported operators
"...alongside NETGEAR-MOZI and other router-related flaws. This pattern suggests that the actor was focused on building or expanding botnets..."
Exploited software
MITRE ATT&CK
Reporting
Families observed in the dataset include Cobalt Strike, AsyncRAT, Mirai, Sliver, Mozi, Hajime, Tactical RMM, and Gophish.
Hajime, an IoT-focused botnet, follows with 191 C2 servers, while Mozi and Mirai reflect ongoing abuse of compromised routers and embedded devices.
The bot also actively kills competing botnet processes: mirai. sora. bot. dark. hilix. rakitin. neon. owari. aqua. boatnet. mozi.
Mirai and modern variants (e.g., Satori, Mozi remnants, Katana)
"Additional findings showed that the Mozi botnet was the most prevalently deployed using the C2 network with 9,427 unique IP addresses..."
Mozi botnet dominates with 9,427 unique C2 IP addresses, representing more than half of all observed command-and-control activity.
"Automated Mirai, Mozi, and Gafgyt botnet intrusions have significantly increased..."
"...these attacks are driven by botnets such as Mirai, Gafgyt, and Mozi."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.