The Androxgh0st botnet, which initially targeted web servers, has recently evolved by integrating components from the notorious Mozi botnet. This merger significantly enhances Androxgh0st’s ability to exploit vulnerabilities in both web applications and Internet of Things (IoT) devices. Researchers from CloudSEK’s XVigil platform discovered that Androxgh0st now utilizes Mozi’s payload delivery mechanisms, allowing it to infect IoT devices, such as routers and security cameras, without requiring separate infection routines. This integration allows for faster and broader propagation of malicious activities across a wide variety of devices.
The botnet’s expanded attack capabilities now target a diverse range of vulnerabilities, including those in Cisco ASA, Atlassian JIRA, and Metabase. In particular, Androxgh0st exploits cross-site scripting (XSS) flaws in Cisco ASA, path traversal vulnerabilities in Atlassian JIRA, and local file inclusion bugs in Metabase. These vulnerabilities, along with others in PHP frameworks and Apache Web Server, enable the botnet to run arbitrary code, gain backdoor access, or leak sensitive data from compromised systems. The ability to exploit such a wide array of weaknesses underscores the botnet’s growing sophistication.
In addition to targeting well-established vulnerabilities, Androxgh0st has adapted to exploit newly discovered flaws, such as CVE-2023-1389 and CVE-2024-36401. These vulnerabilities, found in devices like TP-Link routers and GeoServer, give attackers the ability to take control of vulnerable devices and propagate malware with minimal resistance. The botnet’s operational flexibility also extends to IoT devices, which are increasingly vulnerable to attack due to weak security configurations. Researchers have found that Androxgh0st is particularly effective at targeting misconfigured routers and devices, expanding its reach into home and enterprise networks.
The geographic scope of Androxgh0st’s attacks is equally concerning, with countries such as Germany, the U.S., and India seeing the highest levels of infection. These countries are among the top targets due to the large number of exposed devices. Organizations and individuals alike are urged to promptly patch vulnerabilities that Androxgh0st exploits, monitor network traffic for unusual activity, and regularly audit server and device logs. As Androxgh0st continues to expand its attacks, it remains crucial for global cybersecurity defenses to evolve in order to counter this increasingly complex and widespread threat.