Researchers at CloudSEK’s Threat Research team identified major developments in the Androxgh0st toolkit, expanding its arsenal of vulnerabilities, and noticed a potential operational integration with the Mozi botnet. First observed in early 2024, Androxgh0st integrates Mozi’s attack patterns, targeting systems such as Cisco ASA, Atlassian JIRA, and PHP frameworks through tactics like remote code execution and credential theft. It is recommended to search your environment for indicators of compromise.
Androxgh0st exploits several known vulnerabilities, such as CVE-2017-9841 in PHPUnit, CVE-2018-15133 in Laravel, and CVE-2021-41773 in Apache servers. Exploiting these flaws, Androxgh0st gains initial access by uploading malicious files, reading sensitive information, and establishing persistent backdoor access to the targeted systems. It operates similarly to the Mozi botnet, which exploits unpatched IoT vulnerabilities to maintain a large attack surface, particularly in routers from manufacturers like Netgear and TP-Link.
The botnet's infrastructure analysis reveals that Androxgh0st uses command-and-control (C2) servers to manage infected devices. The C2 servers receive communication from infected devices via POST requests, allowing operators to execute malicious commands remotely. This C2 communication also indicates similarities in tactics, techniques, and procedures (TTPs) between Androxgh0st and Mozi, suggesting possible coordination or integration.