| Mozi is one of the most prominent examples of an IoT peer-to-peer (P2P) botnet, having infected hundreds of thousands of devices. In late 2023, an update was pushed that aimed to dismantle infected devices, leading to what was widely described as a complete takedown. Yet, more than two years later, Mozi remains unexpectedly active: devices continue to communicate over Mozi's P2P protocol, propagate malware, and participate in scanning activity despite the absence of its maintainers. This persistence poses fundamental questions about the long-term behavior of decentralized botnets, the resilience of abandoned malware ecosystems, and the security posture of the global IoT landscape. In this paper, we present the first longitudinal analysis of Mozi's post-takedown ecosystem. We quantify the current size and distribution of active Mozi nodes, compare the visibility each method provides, and identify shared characteristics across our data sources. We further analyze samples still being spread by active nodes to determine whether the malware continues to evolve. Finally, we investigate the current structure of Mozi's P2P topology, geographic distribution, and the vulnerabilities still exploited for propagation. |