{"id":265356,"date":"2026-06-05T15:56:00","date_gmt":"2026-06-05T19:56:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/new-gafgyt-variant-targets-multiple-linux-architectures-with-modular-propagation\/"},"modified":"2026-06-05T18:50:07","modified_gmt":"2026-06-05T22:50:07","slug":"new-gafgyt-variant-targets-multiple-linux-architectures-with-modular-propagation","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/new-gafgyt-variant-targets-multiple-linux-architectures-with-modular-propagation\/","title":{"rendered":"New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/new-gafgyt-variant-targets-multiple-linux-architectures\/\">New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/new-gafgyt-variant-targets-multiple-linux-architectures\/\">https:\/\/cybersecuritynews.com\/new-gafgyt-variant-targets-multiple-linux-architectures\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-05 15:56:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">A newly discovered variant of the Gafgyt botnet malware, named C0XMO, has been quietly spreading across Linux-based devices by targeting a known vulnerability in DD-WRT router firmware. <\/p>\n<p class=\"wp-block-paragraph\">The malware exploits a stack buffer overflow flaw in the UPnP service of affected routers, letting attackers gain full access without any credentials. Once inside, it works to actively recruit the compromised device into a rapidly growing botnet network.<\/p>\n<p class=\"wp-block-paragraph\">What sets C0XMO apart from earlier Gafgyt versions is its modular design and ability to target multiple Linux processor architectures at once. <\/p>\n<p class=\"wp-block-paragraph\">Attackers built the malware to compile and deliver architecture-specific payloads, giving it a broader reach than most IoT-targeting threats seen before. It also includes Python-based scanning scripts that help it move laterally across networks and locate new targets automatically.<\/p>\n<p class=\"wp-block-paragraph\">Analysts from Fortinet\u2019s FortiGuard Labs identified and analyzed the C0XMO variant, with a\u00a0report shared with Cyber Security News (CSN). <\/p>\n<p class=\"wp-block-paragraph\">According to FortiGuard Labs, the malware was first discovered in March and has since been observed actively exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of certain DD-WRT router firmware. <\/p>\n<p class=\"wp-block-paragraph\">The flaw is triggered when an oversized ST:uuid value is sent in a crafted M-SEARCH request over UDP port 1900.<\/p>\n<p class=\"wp-block-paragraph\">The broader impact of C0XMO is still being assessed, but the threat is significant given how widely DD-WRT firmware is deployed across home offices and small businesses worldwide. <\/p>\n<p class=\"wp-block-paragraph\">Attackers are not only targeting routers \u2014 the malware also attempts to exploit exposed Android Debug Bridge connections to take over Android devices. This cross-platform approach signals growing sophistication among IoT botnet operators.<\/p>\n<p class=\"wp-block-paragraph\">Beyond its primary attack path, C0XMO can launch distributed denial-of-service attacks once a device is recruited. <\/p>\n<p class=\"wp-block-paragraph\">It also leverages CVEs targeting D-Link devices, GLPI project software, and Avtech DVR&#8230;<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/new-gafgyt-variant-targets-multiple-linux-architectures\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation https:\/\/cybersecuritynews.com\/new-gafgyt-variant-targets-multiple-linux-architectures\/ Publish Date: 2026-06-05 15:56:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":265357,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/06\/New-Gafgyt-Variant-Targets-Multiple-Linux-Architectures-With-Modular-Propagation.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,89,71,32,57,27],"class_list":["post-265356","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-flaw","tag-linux","tag-malware","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265356"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=265356"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265356\/revisions"}],"predecessor-version":[{"id":265358,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265356\/revisions\/265358"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/265357"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=265356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=265356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=265356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}