ClickCease Mozi IoT Botnet: Kill Switch Halts Operations

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Mozi IoT Botnet: Kill Switch Halts Operations

Wajahat Raja

November 13, 2023 - TuxCare expert team

In a surprising turn of events, the Mozi botnet experienced a sudden and significant drop in malicious activities in August 2023. This unexpected decline was attributed to the deployment of a “kill switch” that was effectively distributed to the infected bots. In this article, we will delve into the intricacies of the Mozi IoT Botnet incident, shedding light on how a previously notorious Internet of Things (IoT) botnet was neutralized and the mysteries surrounding its takedown.

The Mozi IoT Botnet: A Menace Born from Malware Families


The Mozi botnet, a formidable IoT botnet, emerged from the genetic material of well-known malware families, including Gafgyt, Mirai, and IoT Reaper. Its inception dates back to 2019, and it is notorious for exploiting weak or default remote access passwords and unpatched security vulnerabilities to gain initial access to vulnerable devices.


The Arrest of Botnet Operators in September 2021


The Mozi botnet was no stranger to the spotlight. In September 2021, researchers from the cybersecurity firm Netlab disclosed that the operators behind the botnet had been apprehended by Chinese authorities. This development raised hopes for a significant reduction in Mozi’s impact, but the true game-changer was yet to come.

IoT Botnet Operations Halted


The most intriguing aspect of this narrative is the sudden drop in Mozi’s activity. In a matter of days, the botnet’s activity plummeted from around 13,300 hosts on August 7 to a mere 3,500 on August 10. What caused this rapid decline in the botnet’s operation?


Unraveling the Kill Switch

The key to this enigma lies in the deployment of the so-called
“kill switch.” This mysterious control payload was disseminated to the Mozi bots, effectively crippling their functionality while allowing them to maintain persistence. The kill switch exhibited remarkable capabilities, including terminating the malware’s processes, disabling
crucial system services such as SSHD and Dropbear, and ultimately replacing Mozi with itself.

Persistence in the Face of Disruption

Despite the drastic reduction in functionality, the Mozi bots managed to maintain their persistence. This resilience suggests a deliberate and calculated effort to take down the botnet, orchestrated by an unknown actor with an intricate understanding of its inner workings. Security researchers Ivan Bešina, Michal Škuta, and Miloš Čermák shed light on the
botnet disruption.

A Second Variant Emerges

The plot thickens with the emergence of a second variant of the control payload. This new variant brought about minor changes, including a feature that enabled it to ping a remote server, likely for statistical purposes. Even more fascinating is the strong overlap between the kill switch and the botnet’s original source code, as well as the fact that it was signed with the correct private key previously used by the original Mozi operators.

The Enigma of the Kill Switch Initiator

One of the most pressing questions in this tale is the identity of the individual or group behind the initiation of the kill switch. To date, there are no confirmed reports on who orchestrated the Mozi botnet’s takedown. Various hypotheses have surfaced, suggesting that either the original Mozi botnet creators themselves or Chinese law enforcement, with the possible cooperation of the creators, may have been responsible.

The Fall of a Notorious Botnet and Its Implications


The fall of the Mozi botnet provides us with valuable insights into the creation, operation, and termination of such malevolent entities in the wild. Two potential instigators for this takedown emerge, either the original Mozi botnet creators or Chinese law enforcement, possibly in collaboration or under duress from the original actors. Notably, the sequential targeting of India and China indicates a deliberate strategy, with one country being affected first and the other a week later.



The saga of the Mozi IoT botnet and its sudden decline, brought about by a mysterious kill switch, serves as a captivating glimpse into the ever-evolving world of cybersecurity. While the true identity of the kill switch impact remains shrouded in secrecy, the event underscores the cat-and-mouse game between malicious actors and those working tirelessly to protect the digital realm. It’s important to implement robust network security measures to stay protected.

The Mozi botnet’s fall reminds us of the relentless efforts to safeguard our interconnected world from cyber threats, leaving us with a sense of wonder and curiosity about the future of cybersecurity.

The sources for this piece include articles in The Hacker News and Cyber Security News


Mozi IoT Botnet: Kill Switch Halts Operations
Article Name
Mozi IoT Botnet: Kill Switch Halts Operations
Discover how the Mozi IoT Botnet was stopped in its tracks with a powerful kill switch. Stay informed on IoT security.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter