Androxgh0st

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 21/12/2025 05:24 · Modified 21/12/2025 08:21 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 05:24
Modified: 21/12/2025 08:21
Updated at: 21/12/2025 08:21
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 3 reports, 26 attack patterns (mitre), 2 malware, 4 countries, 13 indicators, 13 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (3)

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest …

13 CVEs 20 MITREs 2 Malwares 10 Observables 1 APT

Published 12/11/2024 08:47 · Modified 12/11/2024 09:28
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT …

8 MITREs 2 Malwares 1 Observable 1 APT

Published 08/11/2024 18:33 · Modified 08/11/2024 19:22
Who You Gonna Call? AndroxGh0st Busters!

3 CVEs 9 MITREs 1 Malware 7 Observables 1 APT

Published 17/07/2024 07:34 · Modified 17/07/2024 07:58

Attack patterns (MITRE) (26)

T1110 uses

Brute Force
T1071 uses

Application Layer Protocol
T1587 uses

Develop Capabilities
T1562 uses

Impair Defenses
Search Open Websites/Domains uses

T1593
T1046 uses

Network Service Discovery
T1082 uses

System Information Discovery
T1027 uses

Obfuscated Files or Information
T1016 uses

System Network Configuration Discovery
T1595 uses

Active Scanning
T1583 uses

Acquire Infrastructure
T1537 uses

Transfer Data to Cloud Account

← Previous

Page / 3

1–12 of 26

Androxgh0st uses

Family

Published 19/05/2026 17:52 · Modified 19/05/2026 17:52
Mozi uses

Family

Published 21/05/2026 23:03 · Modified 21/05/2026 23:03

Countries (4)

British Indian Ocean Territory targets
India targets
China targets
Albania targets

Indicators (13)

0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef indicates
b8380e2cd7a2164e8efa0bac32eda97f8b81084e6ba90d44a59d357b9461b6af indicates
api.next.eventsrealm.com indicates
22b1fdcd8a40dacc2fc4907a3cd9e25fcbd8a8466ccfd9de0242a6bde5b8e181 indicates
ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72 indicates
bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7 indicates
58015d2873a59d32f68640675d7f68ac681c904c8ca5b79d0a6a360ad9e83826 indicates
23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 indicates
f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 indicates
3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a indicates
6adf22b7deaf177b7ef5bee65e50e2c689afb8bcb97fb5f0d920476ad4d07d9b indicates
0b4536fb2b282d634be632691690bb99eede7cd0306b9409c982d1880d418aee indicates

← Previous

Page / 2

1–12 of 13

Vulnerabilities (CVE) (13)

CVE-2024-4577 KEV

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2022-1040 KEV

An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Published: 31/03/2022
Modified: 21/12/2025

CVE-2023-1389 KEV

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2018-10561 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2022-21587 KEV

9.8 Critical

Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications …

Attack vector: Network
Published: 02/02/2023
Modified: 21/12/2025

CVE-2014-2120 KEV

6.1 Medium

Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to …

Attack vector: NETWORK
Complexity: LOW
Published: 19/03/2014
Modified: 22/04/2026

CWE-79

CVE-2021-26086 KEV

Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the …

Published: 12/11/2024
Modified: 21/12/2025

CVE-2018-10562 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2021-41773 KEV

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2021-41277 KEV

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

Published: 12/11/2024
Modified: 21/12/2025

CVE-2018-15133 KEV

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a …

Published: 16/01/2024
Modified: 21/12/2025

CVE-2024-36401 KEV

9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector: Network
Published: 15/07/2024
Modified: 21/12/2025

← Previous

Page / 2

1–12 of 13

Contact About Legal notice Privacy policy Terms of use

Androxgh0st

Essential information

Description

Marking (TLP)

Related entities

Reports (3)

Attack patterns (MITRE) (26)

Malware (2)

Countries (4)

Indicators (13)

Vulnerabilities (CVE) (13)