The Python-based cloud attack tool AndroxGh0st is well-known for specifically targeting Laravel applications. It has previously taken advantage of vulnerabilities in PHPUnit, the Laravel Framework, and the Apache web server. The targeting focus has been strategically expanded, according to CloudSEK's most recent analysis.

It is believed that an update to take down the botnet was disseminated by Chinese authorities or the botnet's creators. androxGh 0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations, the company said. The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers ("200.124.241[. ]140" and "117.215.206[. ]216").

To take advantage of Mozi's ability to spread, AndroxGh0st has grown to infect more IoT devices. According to the company, "there is a significant rise in infections, with a notable focus on Chinese ecosystem-specific vulnerabilities." Citing the unusual string "PWN_IT" in the payload, it discovered evidence connecting the operations to the nation's Capture the Flag (CTF) communities.According to the Hongjing, China-based company, "Androx Gh0st has expanded to use Mozi to accomplish goals that otherwise would require separate infection routines." The company stated that although it has not pinpointed the exact source of the infections, it is thought to be connected to China's CTF communities. ShopXO, eYouMail, UFIDA NC BeanShell, OA e-cology, Leadsec VPN, and other vulnerabilities are added to the AndroxGh 0st botnet.