Mozi IoT Botnet Now Also Targets Netgear, Huawei, and ZTE Network Gateways


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Mozi, a peer-to-peer (P2P) botnet known to target IoT devices, has gained new capabilities that allow it to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE, according to new findings.

"Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT said in a technical write-up. "By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities."

First documented by Netlab 360 in December 2019, Mozi has a history of infecting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. The botnet is evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper.

Mozi spreads via the use of weak and default remote access passwords as well as through unpatched vulnerabilities,, with the IoT malware communicating using a BitTorrent-like Distributed Hash Table (DHT) to record the contact information for other nodes in the botnet, the same mechanism used by file-sharing P2P clients. The compromised devices listen for commands from controller nodes and also attempt to infect other vulnerable targets.