- Androxgh0st’s integration with Mozi amplifies global risks
- IoT vulnerabilities are the new battlefield for cyberattacks
- Proactive monitoring is critical to combating emerging botnet threats
Researchers recently discovered a significant evolution of the Androxgh0st botnet, which has become more dangerous with the integration of Mozi botnet functionality.
An attack targeting web servers that began in early 2024 has expanded, allowing Androxgh0st to exploit vulnerabilities in IoT devices, CloudSEK’s Threat Research Team Already said.
Its latest report states that the botnet is now equipped with Mozi’s advanced technology to infect and spread on a variety of network devices.
The resurgence of Mozi: a unified botnet infrastructure
Mozi, previously known for infecting IoT devices such as Netgear and D-Link routers, believed to be Kill switch activated 2023.
However, CloudSEK revealed that Androxgh0st integrates Mozi’s distribution capabilities, significantly enhancing its potential for targeting IoT devices.
By deploying Mozi’s payload, Androxgh0st now has a unified botnet infrastructure that leverages specialized tactics to penetrate IoT networks. This convergence allows botnets to spread more efficiently through vulnerable devices, including router and other connected technologies, making it an even more powerful force.
In addition to its integration with Mozi, Androxgh0st has expanded the scope of its targeted vulnerabilities, exploiting weaknesses in critical systems. CloudSEK’s analysis shows that Androxgh0st is now actively attacking major technologies, including Cisco ASA, Atlassian JIRA, and multiple PHP frameworks.
In Cisco ASA systems, the botnet exploits cross-site scripting (XSS) vulnerabilities to inject malicious scripts through unspecified parameters. It also targets Atlassian JIRA, which has a path traversal vulnerability (CVE-2021-26086), allowing attackers to gain unauthorized access to sensitive files. In PHP frameworks, Androxgh0st exploits older vulnerabilities such as Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841) to facilitate backdoor access to infected systems.
Androxgh0st’s threat landscape is not limited to older vulnerabilities. It can also exploit newly discovered vulnerabilities such as CVE-2023-1389 in TP-Link Archer AX21 firmware (which allows unauthenticated command execution) and CVE-2024-36401 in GeoServer (which can lead to remote program execution) code).
This botnet now also uses brute force credential stuffing, command injection, and file inclusion techniques to compromise systems. By leveraging Mozi’s IoT-centric strategy, it has significantly expanded its geographic reach, spreading its infections into Asia, Europe, and beyond.
CloudSEK recommends that organizations strengthen their security posture to mitigate potential attacks. While immediate patching is important, it’s also important to proactively monitor network traffic. By tracking suspicious outbound connections and detecting anomalous login attempts, especially from IoT devices, organizations can spot early signs of the Androxgh0st-Mozi collaboration.