Skip to content
Malware family

Mozi

Mozi is an IoT-focused peer-to-peer botnet and malware family, first observed in 2019, that reuses some Gafgyt code but is distinct in using a DHT-based P2P architecture similar in concept to Hajime.

Profile source: Mallory opens in a new tab

Mozi

Family profile

Mozi is an IoT-focused peer-to-peer botnet and malware family, first observed in 2019, that reuses some Gafgyt code but is distinct in using a DHT-based P2P architecture similar in concept to Hajime. It targets routers, DVRs, NVRs, and other embedded Linux devices, spreading via Telnet brute-forcing with weak credentials and by exploiting known vulnerabilities in internet-exposed devices. Reported exploited weaknesses include Eir D1000 Wireless Router RCE, Vacron NVR RCE, CVE-2014-8361 (Realtek SDK), Netgear command injection flaws affecting R7000/R6400 and DGN1000 routers, JAWS Webserver command execution on MVPower DVR, CVE-2017-17215 (Huawei HG532), HNAP/UPnP command execution issues on D-Link devices, CVE-2018-10561 and CVE-2018-10562 (GPON routers), and CCTV/DVR RCE. Mozi uses infected nodes to provide malware download locations over HTTP, and can directly exploit targets or log in over Telnet, drop a downloader, and fetch the bot binary. Its configuration is protected with XOR obfuscation and ECDSA384 signature verification to preserve integrity in the untrusted P2P environment. Documented capabilities include DDoS attacks, bot information collection, downloading and executing payloads from URLs, self-update, and execution of system or custom commands. Analysis cited an ARM ELF v2 sample (MD5 eda730498b3d0a97066807a2d98909f3) and an earlier packed sample (MD5 849b165f28ae8b1cebe0c7430f44aff3). Multiple reports describe Mozi as a prevalent botnet abusing compromised routers and embedded devices, including infrastructure tracking that associated it with 9,427 unique C2 IP addresses in Chinese hosting environments, making it one of the most prevalent observed botnet deployments in those datasets. Additional reporting notes Mozi payloads being deployed by other botnet activity, including claims that Androxgh0st C2 logs showed Mozi IoT-focused payloads being used. Mozi is commonly discussed alongside Mirai and Gafgyt in automated campaigns targeting PHP servers, IoT devices, and cloud gateways through known vulnerabilities and misconfigurations.

Observed infrastructure

Last seven days

First activity
Jul 13, 2026
Last activity
Jul 18, 2026
Feed role
Distribution
Host form
125 IP / 0 hostnames

Leading locations

  • CN75
  • ZA8
  • RU6
  • ET5
  • PH5
  • AL3
  • AR3
  • ID3
  • PK3
  • SE3
  • BR2
  • CA2

Leading providers

  • CHINA UNICOM China169 Backbone48
  • CHINANET BACKBONE22
  • Telkom SA Ltd.8
  • Ethio Telecom5
  • Globe Telecom Inc.5
  • National WiMAX/IMS environment3

Infrastructure traits

  • Vpn 13
  • Residential Proxy 4
  • Mobile 3
  • Hosting 2

Samples

Recent associated samples

Reported operators

Threat actors

1 named in public reporting
RondoDox

"...alongside NETGEAR-MOZI and other router-related flaws. This pattern suggests that the actor was focused on building or expanding botnets..."

Exploited software

Vulnerabilities linked to Mozi

10 CVEs

MITRE ATT&CK

Mozi in ATT&CK

17 distinct techniques

Reporting

Research mentioning Mozi

May 22
Security Affairs

One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure

Families observed in the dataset include Cobalt Strike, AsyncRAT, Mirai, Sliver, Mozi, Hajime, Tactical RMM, and Gophish.

Apr 16
Cyber Security News

1,250+ C2 Servers Mapped Across Russian Hosting Across 165 Providers

Hajime, an IoT-focused botnet, follows with 191 C2 servers, while Mozi and Mirai reflect ongoing abuse of compromised routers and embedded devices.

Apr 7
Breakglass Intel

AncientNET / Zyre - Total Botnet Unmasking via an Open WebDAV - Breakglass Intelligence - Breakglass Intelligence

The bot also actively kills competing botnet processes: mirai. sora. bot. dark. hilix. rakitin. neon. owari. aqua. boatnet. mozi.

Jan 29
Barracuda

Malware Brief: New wave of botnets driving DDoS chaos | Barracuda Networks Blog

Mirai and modern variants (e.g., Satori, Mozi remnants, Katana)

Jan 16
Scworld

Massive Chinese malware C2 server network uncovered | SC Media

"Additional findings showed that the Mozi botnet was the most prevalently deployed using the C2 network with 9,427 unique IP addresses..."

Jan 15
Cyber Security News

Chinese Threat Actors Hosted 18,000 Active C2 Servers Across 48 Hosting Providers

Mozi botnet dominates with 9,427 unique C2 IP addresses, representing more than half of all observed command-and-control activity.

Oct 30
Scworld

Automated botnet intrusions surge, report finds

"Automated Mirai, Mozi, and Gafgyt botnet intrusions have significantly increased..."

Oct 30
Scworld

Botnets driving attacks on PHP servers, IoT devices, cloud gateways

"...these attacks are driven by botnets such as Mirai, Gafgyt, and Mozi."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.