Observed exploitation chain targeting /GponForm/diag_Form diagnostic endpoint, abusing diag_action=ping for command injection to download Mozi.m malware via wget, accompanied by images/ query artifact. Indicative of automated GPON router exploitation for Mozi botnet deployment.

HTTP GET request to /boaform/admin/formLogin with username and psd parameters, indicating an authentication attempt against a Boa-based router or embedded device administrative login endpoint.