The AndroxGh0st malware has been exploiting a broader range of security vulnerabilities across various internet-facing applications while deploying the Mozi botnet.

Active since at least 2022, AndroxGh0st has targeted known vulnerabilities in systems such as the Apache web server, Laravel Framework, and PHPUnit for unauthorized access and control.

In March 2024, U.S. cybersecurity agencies identified AndroxGh0st's use in forming a botnet aimed at victim identification and exploitation.

This Python-based tool specifically targets Laravel applications to extract sensitive data from platforms like Amazon Web Services (AWS), SendGrid, and Twilio.

Reports indicate that AndroxGh0st employs remote code execution and credential-stealing techniques to infiltrate critical infrastructures through unpatched vulnerabilities.

Recent analyses reveal that AndroxGh0st has expanded its targeting to include multiple vulnerabilities, such as CVE-2014-2120 (Cisco ASA), CVE-2018-10561 (Dasan GPON), and CVE-2024-36401 (GeoServer).

The botnet utilizes common administrative usernames and predictable password patterns to gain access to WordPress site controls.

Additionally, attacks have exploited command execution flaws in Netgear DGN devices and Dasan GPON routers to deploy a payload known as 'Mozi.m'.

The integration of AndroxGh0st with Mozi suggests a collaborative effort to enhance infection capabilities, allowing both to leverage similar command infrastructures for broader device control.

This operational integration implies that AndroxGh0st and Mozi may be controlled by the same cybercriminal group, improving the efficiency of their botnet activities.

Although Chinese authorities arrested the malware authors in September 2021, Mozi activity sharply declined only after a kill switch was activated in August 2023.

Mozi is particularly notorious for targeting IoT devices to create networks for distributed denial-of-service (DDoS) attacks.