New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation
New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation
https://cybersecuritynews.com/new-gafgyt-variant-targets-multiple-linux-architectures/
Publish Date: 2026-06-05 15:56:00
Source Domain: cybersecuritynews.com
A newly discovered variant of the Gafgyt botnet malware, named C0XMO, has been quietly spreading across Linux-based devices by targeting a known vulnerability in DD-WRT router firmware.
The malware exploits a stack buffer overflow flaw in the UPnP service of affected routers, letting attackers gain full access without any credentials. Once inside, it works to actively recruit the compromised device into a rapidly growing botnet network.
What sets C0XMO apart from earlier Gafgyt versions is its modular design and ability to target multiple Linux processor architectures at once.
Attackers built the malware to compile and deliver architecture-specific payloads, giving it a broader reach than most IoT-targeting threats seen before. It also includes Python-based scanning scripts that help it move laterally across networks and locate new targets automatically.
Analysts from Fortinet’s FortiGuard Labs identified and analyzed the C0XMO variant, with a report shared with Cyber Security News (CSN).
According to FortiGuard Labs, the malware was first discovered in March and has since been observed actively exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of certain DD-WRT router firmware.
The flaw is triggered when an oversized ST:uuid value is sent in a crafted M-SEARCH request over UDP port 1900.
The broader impact of C0XMO is still being assessed, but the threat is significant given how widely DD-WRT firmware is deployed across home offices and small businesses worldwide.
Attackers are not only targeting routers — the malware also attempts to exploit exposed Android Debug Bridge connections to take over Android devices. This cross-platform approach signals growing sophistication among IoT botnet operators.
Beyond its primary attack path, C0XMO can launch distributed denial-of-service attacks once a device is recruited.
It also leverages CVEs targeting D-Link devices, GLPI project software, and Avtech DVR…
