Also known as: Mozi, Mozi P2P botnet
Category: P2P IoT botnet
Type: IoT malware/botnet
Platform: IoT devices (routers, DVRs, network gateways)
Variants: ARM, MIPS versions
Damage potential: DDoS attacks, data theft, remote command execution, HTTP hijacking, DNS spoofing
Overview
Mozi is an IoT botnet that uses a combination of codes from Gafgyt, Mirai, IoT Reaper, and other botnets to perform DDoS attacks and data theft. It first emerged in 2019 targeting IoT devices such as routers and DVRs. It uses a custom P2P (peer-to-peer) protocol to hide itself among distributed hash tables (a way of identifying users online, also known as DHT) to get into the systems unnoticed.
Unlike many IoT botnets, Mozi can maintain long-term persistence on infected devices — even after reboot — by modifying startup scripts and disabling remote management services. It also incorporates traffic injection, DNS spoofing, and HTTP hijacking to conduct man-in-the-middle attacks and redirect victims to malicious infrastructure.
Possible symptoms
While unexpected system slowdowns may be the first sign that your device has been infected by Mozi botnet or similar malware, other possible symptoms include:
- Unusual outgoing network traffic.
- Unfamiliar processes running on the device.
- Unexpected slowdowns in connection speed.
- Modified DNS settings.
- Unusual increase in CPU usage.
- Unexpected reboots or crashes.
- Unusual blinking and other activity when idle.
Sources of the infection
Mozi infiltrates networks by targeting vulnerable IoT devices and routers through direct automated attacks. It continuously scans the internet for devices with weak or default Telnet passwords, attempting thousands of common credential combinations to gain unauthorized access. Once it compromises a device, Mozi can leverage its peer-to-peer architecture to spread laterally across networks, turning each infected device into a launching point for further attacks. This self-propagating mechanism allows Mozi to rapidly expand its botnet without any user interaction.
Protection
To protect your network from Mozi botnet and similar threats, combine as many of the following tips as possible:
- Monitor network traffic. Set up firewalls and network monitoring tools to detect suspicious outbound connections.
- Only trust official sources. Never download software from pirated websites.
- Set up strong passwords. Create complex and unique passwords that contain upper- and lowercase letters, numbers, and special characters. Change the default passwords on your IoT devices.
- Use Threat Protection Pro™. This NordVPN's advanced antivirus tool is designed to make browsing safer by blocking compromised websites and preventing malicious downloads.
- Keep your systems updated. Regularly install updates for your IoT devices and other software to patch against known vulnerabilities.
- Disable Telnet access. Turn off unnecessary services like Telnet on IoT devices to limit the attack surface for Mozi botnet.
- Restrict IoT device access. Limit external connectivity for IoT devices when possible and isolate IoT devices from critical systems to limit the spread of malware in case of suffering Mozi botnet attack.
Removal
If you suspect your device has been infected with the Mozi botnet, act immediately. First, disconnect it from the internet and reboot in safe mode. Do a factory reset to fully remove the Mozi botnet from the device. Disconnecting IoT devices from the power source can also help remove this malicious software.
Finally, consider changing all your passwords and turn on automatic firmware updates on your IoT devices. Continue monitoring network traffic for any signs of suspicious activity.
