Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave
Essential information
- Published
- 12/11/2024 08:47
- Modified
- 12/11/2024 09:28
- Tags
- 2024-11-12 CVE-2014-2120 CVE-2018-10561 CVE-2018-10562 CVE-2021-26086 CVE-2021-41277 CVE-2022-1040 CVE-2022-21587 CVE-2023-1389 CVE-2024-36401 CVE-2024-4577 androxgh0st botnet credential-theft iot mozi persistent access remote code execution routers vulnerability exploitation web servers
- Related entities
- 13 vulnerabilities (cve), 10 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 4 others
Description
The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code execution and credential theft techniques. The botnet targets unpatched systems, employing tactics like command injection and brute-force attacks to maintain persistent access. With over 500 infected devices globally, Androxgh0st poses a significant threat to critical infrastructure. The integration of Mozi's capabilities suggests a possible merger of the two botnets, potentially under the same cybercriminal group, enhancing their combined effectiveness and reach.