A Peer-to-Peer (P2P) botnet named Mozi has been causing a considerable increase in overall IoT botnet activities since late 2019. Lately, IBM X-Force has released a report claiming the botnet has accounted for nearly 90% of the observed IoT network traffic from October 2019 through June 2020.

The startling takeover

Instead of removing its competitors from the compromised devices, the Mozi botnet has been successfully flooding the cyberspace.
  • Its success is due to the use of command injection attacks to gain initial access to the device, leveraging the misconfiguration of IoT devices.
  • After gaining full access to the device through the botnet, the attackers then change the firmware level so as to plant additional malware on the device.
  • Surprisingly, during the attacks, the botnet did not seek to outdo competitors from compromised systems.

Ever-expanding IoT landscape

While command injection is the primary infection vector of choice for threat actors, recent attacks have seen the exploitation of IoT devices using several other threat vectors.
  • In July, the Mirai botnet was found exploiting F5 BIG-IP bugs (CVE-2020-5902, CVE-2020-1956, CVE-2020-7115, etc.) for intrusion and delivering malicious payloads.
  • In June, XORDDoS and Kaiji botnets had targeted Docker servers to perform brute-force attacks after scanning for open Secure Shell (SSH) and Telnet ports.
  • In the same month, Mozi had targeted IoT devices, predominantly routers, and DVRs by utilizing a distributed hash table (DHT) for communication.


Mozi botnet has ramped up operations through constant exploitation attempts via command injection to take adavantage of slow patch implementation. Experts advise organizations to change default device settings and use effective penetration testing to find and fix gaps in the defenses.
Cyware Publisher