Androxgh0st Botnet Replaces Mozi as the Dominant Malware and Integrates Its Functionality

• Mozi’s abrupt disappearance left room for a new botnet to emerge, and Androxgh0st took the lead.
• Security researchers believe Androxgh0st uses its predecessor’s functionality and may be operated by Chinese hackers.
• It can now target IoT devices and web servers for DDoS attacks, data breaches, and mass surveillance operations.

A dangerous new botnet, dubbed Androxgh0st, has emerged as a major cyber threat following the sudden disappearance of the infamous Mozi botnet last year. Previously targeting web servers to steal sensitive data, Androxgh0st has expanded its capabilities by integrating Mozi's functionality. 

According to security researchers, the Androxgh0st botnet has rapidly evolved since its initial appearance in 2023. Experts suspect Chinese threat actors may operate the botnet to align with the country's broader state-driven objectives. 

“Based on the available information, we can ascertain with low confidence that the Androxgh0st botnet is being operated by Chinese threat actors that are driven by similar interests as that of the Chinese state,” said Koushik Pal, a researcher at CloudSEK.

Check Point Software recently named Androxgh0st the most prevalent malware globally, reporting that it affected an estimated 5% of organizations worldwide in November 2024. 

This enhancement allows the botnet to target a broader range of devices, including Internet of Things (IoT) devices and web servers, while deploying powerful tools to enable Distributed Denial-of-Service (DDoS) attacks, data breaches, and mass surveillance operations.

By December 2024, Androxgh0st had been reported exploiting vulnerabilities in technologies such as TP-Link routers, Cisco ASA, Atlassian JIRA, Sophos Firewalls, and additional IoT devices, indicating the malware's versatility in breaching enterprise defenses.

Androxgh0st marks a turning point in botnet weaponization strategies, with its operators leveraging IoT-focused exploits to bolster the botnet's reach. 

Like many botnets, Androxgh0st begins its campaign by exploiting known vulnerabilities to deploy malicious payloads. Once infected, a device becomes part of the botnet, further amplifying its ability to infiltrate networks and execute malicious tasks. 

Initially confined to targeting web servers and stealing sensitive data, the malware has since evolved. By January 2024, it began deploying payloads to IoT devices using Mozi exploits—an alarming development considering Mozi’s capacity for infiltrating hundreds of thousands of IoT devices annually prior to its shutdown.

U.S. federal agencies, including the FBI and CISA, first warned about Androxgh0st in early 2024. At the time, it primarily relied on exploiting older vulnerabilities to steal cloud credentials. The malware scanned for ENV files containing credentials for major platforms such as AWS, Microsoft Office 365, SendGrid, and Twilio.

Since then, researchers have observed a sharp escalation in its sophistication and scale. Between January and August 2024, the number of Common Vulnerabilities and Exposures (CVEs) exploited by Androxgh0st soared by 100%, an indicator of heightened sophistication aimed at leveraging cutting-edge exploits.