The security of the IoT has become a hot research area in cyberspace security, among which the malware is a major threat. Based on the ATT&CK model, this paper studies the composition and behavior of IoT malware, constructs a malicious behavior model of IoT malware, and analyzes the technical implementation of each tactic in the malicious behavior model of IoT malware from three aspects: operating system related, target environment related and specific tools related. Based on this, we finally propose the evolution direction of IoT malware, which will be conducive to a more comprehensive grasp of the characteristics of IoT malware, and be supportive for maintaining the security of IoT.