Mozi botnet gets stealthier in infecting Huawei network gateways and other gear

Botnets are hard to sink, Part Infinity.
(Getty Images)

The authors of a prolific internet-of-things botnet called Mozi have developed new capabilities for their malicious software to linger on infected device and avoid detection, Microsoft researchers said Thursday.

A botnet is a horde of compromised computers that attackers use to distribute spam or ransomware, or conduct distributed denial of service (DDoS) attacks.

The Mozi botnet’s malware now has features catered to networking equipment made by popular vendors Netgear, Huawei and ZTE so that the malicious code lives on when the device is rebooted, according to the research. The features could also make it harder for other malicious hackers to wipe code off of infected devices — malicious-on-malicious activity that is a feature of the scamming ecosystem.

For network defenders, it’s an unwelcome development from a botnet that has been used to steal data and conduct DDoS attacks since surfacing in 2019. IBM researchers said last year that Mozi accounted for about 90% of internet-of-things (IoT) traffic tracked by researchers from October 2019 through June 2020.


The network gateways (or software and hardware used to connect networks) that the Mozi malware is written for “are a particularly juicy target” because they are a way into corporate networks, Microsoft researchers wrote in a blog. From there, higher-value IT systems can be infected.

The research is an example of how difficult it can be to eradicate botnets. Mozi, for example, thrives on weak passwords and numerous old IoT vulnerabilities and also infects things like DVRs, which users often don’t know how to update.

Other types of botnets took on added significance to the cybersecurity industry and government officials in the run-up to the 2020 election, when officials were concerned that the zombie computers could be used to distribute ransomware that might affect election administration.

With that in mind, U.S. Cyber Command and tech firms like Microsoft tried to disrupt the infamous TrickBot botnet in October 2020. While the moves knocked some TrickBot infrastructure offline, the malicious computer network has continued to operate.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts