New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics
New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics
https://gbhackers.com/gafgyt-variant-targets-linux/
Publish Date: 2026-06-05 10:04:00
Source Domain: gbhackers.com
A new Gafgyt-family botnet, tracked as C0XMO, marks a notable technical shift in IoT malware design: the separation of scanning and propagation into distinct components and multi-architecture payloads that maximize reach across heterogeneous Linux devices.
The operator delivered C0XMO by exploiting CVE-2021-27137 a stack buffer overflow in the UPnP SSDP parser of vulnerable DD-WRT firmware using crafted M-SEARCH UDP packets with oversized ST:uuid: values.
Although the immediate target was a Japanese technology firm, telemetry points to an infection chain originating from an IP in Germany that staged the drop under /tmp/.cache and served binaries compiled for ARM, MIPS, PowerPC, SuperH, MC68000, Intel 80386, and AMD64.
C0XMO retains classic Gafgyt capabilities Telnet/SSH weak-password brute forcing, diverse DDoS primitives, and competitor-killing behavior but its architecture is what distinguishes it.
The exploitation of the CVE-2021-27137 vulnerability (Source : FortiGuard).
The main bot binary focuses on persistence, process management, and C2 interaction, while an independent Python-based scanner handles discovery and lateral movement.
This modularity allows the attacker to deploy lightweight, architecture-specific binaries on compromised hosts while running an extensible, higher-level scanner that can pull the right payload for each target CPU.
The scanner is hosted at 217[.]160[.]125[.]125:15527 and requires Python packages such as requests, paramiko, and beautifulsoup4 to perform HTTP interactions and SSH/Telnet operations.
FortiGuard Labs said in a report shared with GBhackers, a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.
Persistence unfolds in a predictable four-stage sequence: self-copying to hidden locations (/tmp/.sys, /var/tmp/.sys, /dev/shm/.sys and optionally $HOME/.sys), permission hardening, cron job creation to execute every 15 minutes, and profile-file modification (~/.bashrc,…
