A ‘kill switch’ deliberately shut down notorious Mozi botnet, researchers say


Researchers have discovered a “kill switch” that supposedly put an end to the infamous Mozi botnet, which exploited vulnerabilities in hundreds of thousands of smart devices.

The first indications that something went wrong with Mozi appeared in August when the botnet’s activity suddenly dropped in India and China, its largest markets.

Researchers at the cybersecurity firm ESET then discovered that Mozi’s bots became nearly inactive after someone sent a payload to the infected devices, which deactivated the Mozi malware, shut some of its system services, and disabled access to various ports.

The researchers suggest that the takedown was “deliberate and calculated” and was likely executed by the creators of Mozi or Chinese law enforcement. In 2021, China arrested the creators of the botnet.

Among the evidence that the botnet shutdown was deliberate is that the update carrying the kill switch was signed with the correct private key and has a strong connection to the botnet’s original source code, the researchers said.

Mozi was discovered in 2019, and since then has infected more than 1.5 million Internet of Things (IoT) devices, turning them into bots — hacked gadgets controlled by cybercriminals to carry out distributed denial-of-service (DDoS) attacks, exfiltrate data, or install other malware.

Mozi gained access to IoT devices, such as digital cameras and home routers, by exploiting weak or default login credentials.

ESET called Mozi’s demise “a fascinating case of cyber forensics,” providing analysts with technical information on how such botnets are created, operated, and dismantled. However, the main question of who killed Mozi remains a mystery.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Major Mexican airport confirms experts are working to address cyberattack

Next Post

Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack

Related Posts

U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale. "The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the
Read More

RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

A likely China-linked state-sponsored threat actor has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. Recorded Future's Insikt Group is tracking the activity under the name RedJuliett, describing it as a cluster that operates Fuzhou, China, to support Beijing's intelligence
Read More