A new malware family called Mozi, using several known malware families code– Gafgyt, Mirai and IoT Reaper have been brought together to form a peer-to-peer (P2P) botnet capable of DDoS attacks, data exfiltration and command or payload execution. 


  • Mozi a peer-to-peer (P2P) botnet attack is active since late 2019 and targeting Internet of things (IoT) devices.

  • Mozi botnet is based on the distributed sloppy hash table (DSHT) protocol targeting IoT devices, predominantly routers and DVRs that are either unpatched or have weak telnet passwords

  • Mozi targets via command injection (CMDi) attacks and taking advantage of IoT device misconfigurations and weak telnet passwords.

  • It has four major capabilities:

    1. It can conduct DDoS attack (HTTP, TCP, UDP)

    2. Carry out command execution attack

    3. Download malicious payload from specified URL and execute it

    4. Gather bot information