This infamous botnet has been killed off - but who pulled the trigger?

In the message, the bots were instructed to terminate the Mozi process, disable some system services, replace the Mozi file, execute device configuration commands, block access to different ports, and establish a foothold for the new file. 

Was it the police?

The identity of the people behind this operation remains a mystery. Law enforcement agencies around the world have been doing similar things in the past with other botnets, but the main difference here is that the malware persists on the bots in anticipation of a new payload.

So it could be the botnet’s creators - but it could also be Chinese law enforcement; we might never find out. 

Mozi was first spotted in 2019, when it went after IoT endpoints such as routers, digital video recorders, and other devices with limited visibility. The majority of the compromised devices had weak or default passwords and as such were easy to compromise and assimilate into the botnet. 

The network was used mostly to run distributed denial of service (DDoS) attacks, which are capable of blocking access to front-facing services. 

The infamous Qakbot botnet was taken down by the FBI earlier this year in the same manner. In late August this year, the FBI said it managed to redirect the botnet’s traffic to servers under its command, and used it to instruct the bots to uninstall the malware. Some 700,000 devices were freed from the clutches of the botnet almost instantly.

However, it seems as if the operators returned in October with a new phishing campaign, aimed at delivering a Remote Access Trojan (RAT) to its victims.

More from TechRadar Pro

• Botnets responsible for nearly all malicious web traffic
• Here's a list of the best firewalls today
• These are the best endpoint protection tools around