Http Gpon Diag Ping Wget Mozi Dropper Injection

HTTP POST body containing command injection via diag_action=ping with backtick execution and wget download of Mozi.m to /tmp, indicative of active exploitation of GPON router command injection vulnerabilities to deploy Mozi botnet malware.

Observed IPs

Avg Confidence

65%

Protocol

HTTP

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
103.93.93.182	100%	89,384	3,913	🇮🇩 ID	AS141140	2026-03-02
223.123.43.5	100%	22,905	1,051	🇵🇰 PK	AS138423	2026-03-02
223.123.38.35	100%	21,545	971	🇵🇰 PK	AS138423	2026-03-02
223.123.38.39	100%	12,645	1,243	🇵🇰 PK	AS138423	2026-03-02
175.107.2.233	91%	1,061	24	🇵🇰 PK	AS23888	2026-02-04
103.18.14.174	100%	394	34	🇵🇰 PK	AS9541	2026-03-01
103.18.14.235	100%	61	61	🇵🇰 PK	AS9541	2026-03-02
175.107.1.198	100%	57	55	🇵🇰 PK	AS23888	2026-02-24
42.59.227.202	100%	27	27	🇨🇳 CN	AS4837	2026-02-20
42.232.88.247	100%	26	26	🇨🇳 CN	AS4837	2026-03-01
182.127.58.16	100%	24	24	🇨🇳 CN	AS4837	2026-02-28
223.123.73.54	100%	16	16	🇵🇰 PK	AS59257	2026-02-18
103.99.196.18	54%	10	6	🇮🇳 IN	AS141275	2026-02-20
45.230.66.117	64%	7	4	🇦🇷 AR	AS266702	2026-02-14
45.230.66.121	53%	7	4	🇦🇷 AR	AS266702	2026-02-12
45.230.66.126	51%	6	2	🇦🇷 AR	AS266702	2026-02-10
45.230.66.113	48%	6	5	🇦🇷 AR	AS266702	2026-02-28
45.230.66.107	50%	4	2	🇦🇷 AR	AS266702	2026-02-15
36.255.18.254	60%	3	1	🇮🇳 IN	AS24186	2026-02-08
103.48.64.20	60%	3	1	🇮🇳 IN	AS45235	2026-02-09