Http Gpon Diag Ping Wget Mozi Dropper Injection

HTTP POST body containing command injection via diag_action=ping with backtick execution and wget download of Mozi.m to /tmp, indicative of active exploitation of GPON router command injection vulnerabilities to deploy Mozi botnet malware.

Observed IPs

Avg Confidence

67%

Protocol

HTTP

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
139.135.59.81	100%	3,673	161	🇵🇰 PK	AS9541	2026-04-04
139.135.40.97	100%	1,265	140	🇵🇰 PK	AS9541	2026-03-24
139.135.41.38	100%	1,174	205	🇵🇰 PK	AS9541	2026-04-05
110.37.28.119	100%	724	49	🇵🇰 PK	AS38264	2026-03-21
103.18.14.174	100%	490	84	🇵🇰 PK	AS9541	2026-03-19
103.93.93.170	100%	293	293	🇮🇩 ID	AS141140	2026-04-09
223.123.41.66	100%	167	167	🇵🇰 PK	AS138423	2026-04-08
103.18.14.235	100%	141	141	🇵🇰 PK	AS9541	2026-04-08
103.99.196.18	100%	75	71	🇮🇳 IN	AS141275	2026-03-14
103.18.14.144	100%	75	75	🇵🇰 PK	AS9541	2026-04-05
59.103.106.89	100%	57	57	🇵🇰 PK	AS9541	2026-03-17
175.107.1.198	100%	57	55	🇵🇰 PK	AS23888	2026-02-24
103.18.14.249	100%	52	52	🇵🇰 PK	AS9541	2026-04-01
110.37.119.14	100%	51	51	🇵🇰 PK	AS38264	2026-04-06
223.123.73.18	100%	49	49	🇵🇰 PK	AS59257	2026-04-02
36.255.33.174	100%	32	32	🇵🇰 PK	AS9541	2026-04-07
42.59.227.202	100%	27	27	🇨🇳 CN	AS4837	2026-02-20
140.235.83.44	100%	27	27	🇵🇰 PK	AS9541	2026-03-29
123.14.249.26	100%	26	26	🇨🇳 CN	AS4837	2026-03-26
103.160.197.2	100%	26	26	🇮🇳 IN	AS135761	2026-03-06