Http Gpon Diag Ping Wget Mozi Dropper Injection

HTTP POST body containing command injection via diag_action=ping with backtick execution and wget download of Mozi.m to /tmp, indicative of active exploitation of GPON router command injection vulnerabilities to deploy Mozi botnet malware.

Observed IPs

106

Avg Confidence

68%

Protocol

HTTP

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
139.135.59.81	100%	3,673	161	🇵🇰 PK	AS9541	2026-04-04
139.135.40.97	100%	1,265	140	🇵🇰 PK	AS9541	2026-03-24
139.135.41.38	100%	1,174	205	🇵🇰 PK	AS9541	2026-04-05
110.37.28.119	100%	724	49	🇵🇰 PK	AS38264	2026-03-21
103.18.14.174	100%	490	84	🇵🇰 PK	AS9541	2026-03-19
103.93.93.170	100%	328	328	🇮🇩 ID	AS141140	2026-04-15
223.123.41.66	100%	206	206	🇵🇰 PK	AS138423	2026-04-13
103.18.14.235	100%	141	141	🇵🇰 PK	AS9541	2026-04-08
60.23.238.156	100%	90	90	🇨🇳 CN	AS4837	2026-04-15
59.103.104.97	100%	82	82	🇵🇰 PK	AS9541	2026-04-15
103.99.196.18	100%	76	72	🇮🇳 IN	AS141275	2026-04-10
103.18.14.144	100%	75	75	🇵🇰 PK	AS9541	2026-04-05
223.123.73.18	100%	73	73	🇵🇰 PK	AS59257	2026-04-14
175.107.1.198	100%	57	55	🇵🇰 PK	AS23888	2026-02-24
59.103.106.89	100%	57	57	🇵🇰 PK	AS9541	2026-03-17
103.18.14.249	100%	53	53	🇵🇰 PK	AS9541	2026-04-13
110.37.119.14	100%	52	52	🇵🇰 PK	AS38264	2026-04-16
90.188.229.62	100%	37	37	🇷🇺 RU	AS12389	2026-04-13
36.255.33.174	100%	32	32	🇵🇰 PK	AS9541	2026-04-07
140.235.83.44	100%	27	27	🇵🇰 PK	AS9541	2026-03-29