KEY POINTS
- Rapid Vulnerability Exploitation: The Androxgh0st botnet has expanded its arsenal, exploiting 27 vulnerabilities across web servers, IoT devices, and various technologies, including Cisco ASA, Atlassian JIRA, and TP-Link routers.
- Integration with Mozi Botnet: The botnet incorporates Mozi payloads, targeting IoT devices and potentially sharing command-and-control infrastructure, signaling increased coordination and sophistication.
- Focus on Weak Security Practices: Androxgh0st employs brute-force attacks, credential stuffing, and exploitation of devices with default or weak passwords to gain administrative access and maintain persistence.
- Global and Chinese-Specific Targets: The botnet exploits vulnerabilities in both global systems and Chinese-specific technologies, with evidence pointing to links to Chinese CTF communities and Mandarin-based phishing tactics.
- Urgent Call for Patching: Researchers recommend immediate patching of all affected systems to mitigate risks, including remote code execution, data breaches, and ransomware attacks.
CloudSEK’s contextual AI digital risk platform Xvigil has uncovered a significant evolution in the Androxgh0st botnet, revealing its exploitation of over 20 vulnerabilities and operational integration with the Mozi botnet with expected rise of, at least, 75% more web-application vulnerabilities by mid- 2025.This indicates a significant increase in Androxgh0st’s initial attack vector arsenal from 11 in November 2024 to around 27 within a month.
For your information, CISA issued an advisory earlier this year regarding Androxgh0st’s expanding attack surface, including Cisco ASA, Atlassian JIRA, and PHP frameworks, allowing unauthorized access and remote code execution.
CloudSEK’s research highlights Androxgh0st’s expansion beyond its initial focus on web servers, now incorporating IoT-focused Mozi payloads. It is actively exploiting 27 vulnerabilities across various technologies.
These include exploiting a web script injection vulnerability (CVE-2014-2120) in Cisco ASA, leveraging a path traversal vulnerability (CVE-2021-26086) for remote file reading, exploiting a local file inclusion vulnerability (CVE-2021-41277) for arbitrary file downloads, and targeting vulnerabilities in PHPUnit, Laravel, PHP-CGI, TP-Link routers, Netgear devices, and GPON routers.
Numerous other vulnerabilities are exploited now, including those in Sophos Firewall, Oracle EBS, OptiLink ONT1GEW, Spring Cloud Gateway, and various Chinese-specific software. The Sophos Authentication bypass vulnerability leads to Remote Code Execution (RCE) in the firewall’s User Portal and Webadmin web interfaces, allowing an unauthenticated attacker to execute arbitrary code.
This vulnerability is also present in Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload, which can be exploited to gain remote code execution as an Oracle user. OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 also allows remote code execution (authenticated). Finally, PHP CGI argument injection issue (CVE-2024-4577) is another issue affecting PHP-CGI.
This exploitation enables unauthorized access and remote code execution, posing significant risks to global web servers and IoT networks. Moreover, the botnet’s growing sophistication is evident in its shared infrastructure, persistent backdoor tactics, and the incorporation of Mozi payloads, the report read.
The research indicates a significant operational overlap between Androxgh0st and the Mozi botnet, with Androxgh0st deploying Mozi payloads to infect IoT devices and potentially sharing command and control infrastructure, suggesting a high level of coordination or unified control structure.
Further probing revealed that Androxgh0st employs sophisticated tactics such as code injection and file appending to maintain persistent access to compromised systems. It targets WordPress installations using brute-force attacks and credential stuffing to gain administrative access, and frequently exploits devices with default, weak or easily guessable passwords.
Although definitive attribution is complex, the research suggests links to Chinese CTF communities due to targeting of Chinese-specific technologies and software. This includes the use of the “PWN_IT” string in injected payloads and command infrastructure, using Mandarin in phishing baits and source code, and potential connections to Chinese Kanxue-hosted CTF events. Successful exploitation can lead to data breaches, theft, system disruption, ransomware attacks, botnet amplification, and espionage and surveillance activities.
“CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access,” researchers noted.
