In August 2023 [5] [6], the Mozi botnet [1] [3] [4] [5] [6] [7] [8], a notorious IoT botnet that exploits vulnerabilities in hundreds of thousands of IoT devices [4], experienced a significant drop in malicious activity [5]. This sudden shutdown has led to speculation that the botnet was deliberately switched off by its creators, possibly at the request of Chinese authorities [1].


ESET researchers discovered a kill switch on September 27 [1] [6], which disabled some system services [1], replaced the original Mozi file with itself [1], and executed router/device configuration commands [1]. The kill switch was found in a user datagram protocol (UDP) message and had multiple functions [8], including replacing the original Mozi malware and disabling access to various ports. The analysis also revealed that the kill switch update was compiled from the same base source code as the original Mozi [2]. Despite the decrease in functionality [6] [8], the botnet still exhibited persistence [8]. Analysis of the kill switch revealed similarities between the botnet’s source code and recently used binaries [6], further supporting the theory of a deliberate takedown [6]. The sequential targeting of bots in India and China also supports this theory [6]. It is unclear whether Chinese authorities were involved [1], but state actors have been known to shut down botnets in the past [1]. The Emotet botnet [1], for example, went inactive in 2021 before returning to activity [1].


The takedown of the Mozi botnet is a significant milestone in the ongoing battle against IoT threats [3]. It highlights the importance of proactive cybersecurity measures to identify and neutralize botnets that exploit vulnerable IoT devices [3]. This takedown serves as a reminder of the ever-present cybersecurity risks faced by IoT users and the continuous efforts required to stay ahead of malicious actors [3]. Moving forward, further investigation into the Mozi shutdown will provide valuable insights into the creation, operation [2] [6], and dismantling of IoT botnets [6].