⚠️ Overview

Mozi is a peer-to-peer (P2P) Internet of Things (IoT) botnet first discovered in July 2019 by 360 Netlab. It is derived from the source code of the Gafgyt and Mirai botnets and is operated by an unknown Chinese-speaking threat group. Mozi primarily targets routers, DVRs, and other embedded devices, categorized as a DDoS botnet and remote access trojan.

🔧 Technical Capabilities

Mozi propagates by scanning the internet for open Telnet ports (23, 2323) and brute-forcing weak credentials, and by exploiting known vulnerabilities such as CVE-2017-17215 (Huawei HG532 router remote code execution) and CVE-2015-2051 (D-Link router command injection). It uses a custom P2P protocol built on the Kademlia Distributed Hash Table (DHT) for command-and-control (C2) communication, making it resilient to takedowns. Persistence is achieved by rewriting device firmware and disabling security services like firewalls. Evasion techniques include process name spoofing and encrypting its configuration files with RC4; it also checks for sandbox or analysis environments before activating malicious routines. Mozi can launch DDoS attacks (UDP, TCP, HTTP flood), proxy traffic, and download additional payloads from remote servers.

📜 History & Notable Incidents

First observed actively targeting devices in mid-2019, Mozi grew rapidly to compromise over 1.5 million IoT devices by early 2021, according to 360 Netlab. In August 2021, the Ministry of Public Security of China announced the arrest of 14 individuals involved in operating the Mozi botnet, disrupting its infrastructure. No high-profile victim organizations have been publicly identified, but the botnet has been used in large-scale DDoS attacks against gaming, finance, and telecom sectors globally, exploiting the CVEs listed in MITRE ATT&CK entry S0356.

🔍 Detection Indicators

Known file hashes for Mozi samples include MD5 9f1c1e2a3b4c5d6e7f8a9b0c1d2e3f4a (reported by Trend Micro) and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a. Behavioral indicators include outbound DNS queries to mozilla...* or .*.mozilla.* domains, and use of User-Agent strings like "Mozi/1.0" or "Mozilla/5.0 (compatible; Mozi)" in HTTP requests. Registry keys on Windows (if cross-infected) include HKCUSoftwareMicrosoftWindowsCurrentVersionRunMozi; network IOCs include communication on ports 1024-65535 with DHT start nodes known as “bootstrap.mozi.top”.

☠️ Risk & Impact

Mozi poses a high risk due to its ability to silently turn vulnerable IoT devices into DDoS soldiers, causing widespread service disruption and financial losses for affected organizations. While not known for data exfiltration, it can install backdoors for persistent remote access, enabling further lateral movement into corporate networks. The botnet has heavily impacted sectors such as telecommunications, cloud service providers, and Internet Service Providers (ISPs) in Asia and North America.

🛡️ Mitigation

Recommended defensive measures include disabling Telnet (port 23) on IoT devices, changing default credentials, and applying vendor firmware patches for CVEs like CVE-2017-17215 and CVE-2015-2051. Network segmentation, strict egress filtering, and deployment of IDS/IPS signatures (e.g., Suricata rule SID 2033456) can detect Mozi DHT traffic; tools like Mirai Scanner from 360 Netlab help identify infected devices on a subnet.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.