Botnet's operators 'driven by similar interests as that of the Chinese state'
After the Mozi botnet mysteriously disappeared last year, a new and seemingly more powerful botnet, Androxgh0st, rose from its ashes and has quickly become a major threat to critical infrastructure.
As of December, at least one security shop suspects the new hybrid botnet is being weaponized by the Chinese government.
"Based on the available information, we can ascertain with low confidence that the Androxgh0st botnet is being operated by Chinese threat actors that are driven by similar interests as that of the Chinese state," CloudSEK researcher Koushik Pal told The Register.
Check Point, meanwhile, rated Androxgh0st as the most prevalent malware globally, and said it affected 5 percent of organizations worldwide during November.
The added Mozi capabilities allow Androxgh0st to control a much broader range of targets than it did at the beginning of the year, and "these attacks create cascading effects across industries, highlighting the high stakes for governments, businesses, and individuals reliant on these infrastructures," according to Check Point's Most Wanted Malware report.
Botnets, a favorite of Beijing-backed attackers, are especially insidious, and this one's ability to target both web servers and IoT devices expands its reach. After exploiting a vulnerability to deploy a payload on the victim device, that device becomes part of the botnet, which can then be used to break into other critical networks, perform large-scale DDoS attacks, and conduct mass surveillance and data theft operations.
The malware targets Windows, Mac, and Linux systems, and does not show any signs of slowing down in 2025.
"The integration of Mozi's capabilities within Androxgh0st means that we are going to see an uptick in mass exploitations," Pal said. "We can expect Androxgh0st to be exploiting at least 75 percent to 100 percent more web application vulnerabilities by mid-2025 than it is exploiting now."
CloudSEK was among the first threat hunting teams to spot the integration with Mozi, which came as a surprise to infosec watchers after someone - suspected to be either Chinese law enforcement or the botnet's creator - flipped the kill switch on Mozi in August 2023.
In its heyday, Mozi, which emerged in 2019, accounted for about 90 percent of malicious IoT network traffic globally, exploiting vulnerabilities in hundreds of thousands of connected devices each year.
"Around mid-2024, we started noticing payloads that were part of the Androxgh0st exploitation chain with Mozi payloads targeting TP-Link routers," Pal said. "Funny story, the threat actors had renamed the payload as 'tplink0day' in a few cases, but our investigation revealed that it was a decade-old firmware exploit under the wrappers."
By November, Androxgh0st was exploiting vulnerabilities in dozens of technologies including VPNs, firewalls, routers, and web applications to infect hundreds of thousands of platforms. These include Cisco ASA, Atlassian JIRA, Sophos Firewalls, Spring Cloud Gateways, PHP frameworks, plus several IoT devices.
"Mozi makes their botnet much, much bigger," Sergey Shykevich, threat intelligence group manager at Check Point, told The Register.
"It allows them not to target only specific servers and extract specific files, but now they have the option to target any router, camera, and all such devices that are extremely unprotected. IoT devices are one of the easiest things to attack," he noted.
The FBI and CISA first sounded the alarm on Androxgh0st in January. At the time, the feds said the cloud credential-stealing botnet was primarily using three old and long-since patched CVEs to obtain initial access.
"Androxgh0st originally had a very specific skill," Shykevich said. "It targeted web servers and tried to extract sensitive data files."
Specifically, the Python-scripted malware would scan for [.]env files that contain user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio. In addition to scanning and harvesting credentials, it could also deploy webshells on compromised servers.
"This was one attack vector, and it was very useful. It allowed the operators to get credentials for different resources," Shykevich said.
By August, CloudSEK started seeing the malware operators also deploying IoT-focused Mozi payloads, and infection rates have increased since then. "It's nearly a 30-70 split between IoT devices and web applications," as of early December, Pal said.
Between January and August, the number of CVEs being exploited by Androxgh0st skyrocketed.
"We have seen a sharp rise - about 100 percent - in the number of vulnerabilities exploited by Androxgh0st, indicating that the threat group is more focused on weaponization of some of the newer exploits in the wild," he said.
The security shop initially reported its Androxgh0st findings in November, documenting 11 vulnerabilities that the criminals exploited to gain initial access. In a December update to the research, CloudSEK noted 27.
Since releasing its initial report on the hybrid botnet, the threat hunters also documented an increase in Androxgh0st targeting tech that is primarily used in China.
"We have observed that the threat actors operating the botnet had targeted a hospital from Hong Kong in July 2023, which coincides with the victimology of Chinese APTs such as APT41 and Tonto Team," according to the report, which links the uptick in Androxgh0st's targeting to an increase in mass surveillance efforts by the Chinese government.
"As we have seen in the i-soon leaks, the APT market is cluttered with many different private companies who can provide 'pentesting and red-teaming services' to the state to aid their interests," Pal said. "We are looking at a trend where the threat actors are regularly updating their arsenal with the most recent exploits that can be easily exploited." ®