New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics

Staff Editor 2026-06-05
New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics

New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics

https://gbhackers.com/gafgyt-variant-targets-linux/

Publish Date: 2026-06-05 10:04:00

Source Domain: gbhackers.com

A new Gafgyt-family botnet, tracked as C0XMO, marks a notable technical shift in IoT malware design: the separation of scanning and propagation into distinct components and multi-architecture payloads that maximize reach across heterogeneous Linux devices.

The operator delivered C0XMO by exploiting CVE-2021-27137 a stack buffer overflow in the UPnP SSDP parser of vulnerable DD-WRT firmware using crafted M-SEARCH UDP packets with oversized ST:uuid: values.

Although the immediate target was a Japanese technology firm, telemetry points to an infection chain originating from an IP in Germany that staged the drop under /tmp/.cache and served binaries compiled for ARM, MIPS, PowerPC, SuperH, MC68000, Intel 80386, and AMD64.

C0XMO retains classic Gafgyt capabilities Telnet/SSH weak-password brute forcing, diverse DDoS primitives, and competitor-killing behavior but its architecture is what distinguishes it.

The exploitation of the CVE-2021-27137 vulnerability (Source : FortiGuard).The exploitation of the CVE-2021-27137 vulnerability (Source : FortiGuard).

The main bot binary focuses on persistence, process management, and C2 interaction, while an independent Python-based scanner handles discovery and lateral movement.

This modularity allows the attacker to deploy lightweight, architecture-specific binaries on compromised hosts while running an extensible, higher-level scanner that can pull the right payload for each target CPU.

The scanner is hosted at 217[.]160[.]125[.]125:15527 and requires Python packages such as requests, paramiko, and beautifulsoup4 to perform HTTP interactions and SSH/Telnet operations.

FortiGuard Labs said in a report shared with GBhackers, a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.

Persistence unfolds in a predictable four-stage sequence: self-copying to hidden locations (/tmp/.sys, /var/tmp/.sys, /dev/shm/.sys and optionally $HOME/.sys), permission hardening, cron job creation to execute every 15 minutes, and profile-file modification (~/.bashrc,…

Source

More Stories

I found the Linux app store nobody mentions and it has more packages than Flathub

I found the Linux app store nobody mentions and it has more packages than Flathub

Staff Editor 2026-06-05
New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation

New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation

Staff Editor 2026-06-05
This Linux distro looks so much like Windows 11 that it’s unsettling

This Linux distro looks so much like Windows 11 that it’s unsettling

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy