{"id":265374,"date":"2026-06-05T10:04:00","date_gmt":"2026-06-05T14:04:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/new-gafgyt-variant-targets-linux-systems-with-modular-spread-tactics\/"},"modified":"2026-06-05T19:15:15","modified_gmt":"2026-06-05T23:15:15","slug":"new-gafgyt-variant-targets-linux-systems-with-modular-spread-tactics","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/new-gafgyt-variant-targets-linux-systems-with-modular-spread-tactics\/","title":{"rendered":"New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics"},"content":{"rendered":"<p><a href=\"https:\/\/gbhackers.com\/gafgyt-variant-targets-linux\/\">New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics<\/a><\/p>\n<p><a href=\"https:\/\/gbhackers.com\/gafgyt-variant-targets-linux\/\">https:\/\/gbhackers.com\/gafgyt-variant-targets-linux\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-05 10:04:00<\/a><\/p>\n<p>Source Domain: <a href=\"gbhackers.com\">gbhackers.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">A new Gafgyt-family botnet, tracked as C0XMO, marks a notable technical shift in IoT malware design: the separation of scanning and propagation into distinct components and multi-architecture payloads that maximize reach across heterogeneous Linux devices. <\/p>\n<p class=\"wp-block-paragraph\">The operator delivered C0XMO by exploiting CVE-2021-27137 a stack buffer overflow in the UPnP SSDP parser of vulnerable DD-WRT firmware using crafted M-SEARCH UDP packets with oversized ST:uuid: values. <\/p>\n<p class=\"wp-block-paragraph\">Although the immediate target was a Japanese technology firm, telemetry points to an infection chain originating from an IP in Germany that staged the drop under \/tmp\/.cache and served binaries compiled for ARM, MIPS, PowerPC, SuperH, MC68000, Intel 80386, and AMD64.<\/p>\n<p class=\"wp-block-paragraph\">C0XMO retains classic Gafgyt capabilities Telnet\/SSH weak-password brute forcing, diverse DDoS primitives, and competitor-killing behavior but its architecture is what distinguishes it. <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.fortinet.com\/blog\/threat-research\/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo\/_jcr_content\/root\/responsivegrid\/table_content\/par\/image.img.png\/1780349185287\/f1.png\" alt=\"\nThe exploitation of the CVE-2021-27137 vulnerability (Source : FortiGuard).\"\/>The exploitation of the CVE-2021-27137 vulnerability (Source : FortiGuard).<\/p>\n<p class=\"wp-block-paragraph\">The main bot binary focuses on persistence, process management, and C2 interaction, while an independent Python-based scanner handles discovery and lateral movement. <\/p>\n<p class=\"wp-block-paragraph\">This modularity allows the attacker to deploy lightweight, architecture-specific binaries on compromised hosts while running an extensible, higher-level scanner that can pull the right payload for each target CPU. <\/p>\n<p class=\"wp-block-paragraph\">The scanner is hosted at 217[.]160[.]125[.]125:15527 and requires Python packages such as requests, paramiko, and beautifulsoup4 to perform HTTP interactions and SSH\/Telnet operations.<\/p>\n<p class=\"wp-block-paragraph\">FortiGuard Labs said in a report shared with GBhackers, a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.<\/p>\n<p class=\"wp-block-paragraph\">Persistence unfolds in a predictable four-stage sequence: self-copying to hidden locations (\/tmp\/.sys, \/var\/tmp\/.sys, \/dev\/shm\/.sys and optionally $HOME\/.sys), permission hardening, cron job creation to execute every 15 minutes, and profile-file modification (~\/.bashrc,&#8230;<\/p>\n<p><a href=\"https:\/\/gbhackers.com\/gafgyt-variant-targets-linux\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics https:\/\/gbhackers.com\/gafgyt-variant-targets-linux\/ Publish Date: 2026-06-05 10:04:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":265376,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/06\/Untitled-design-2026-06-05T153507.950.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,71,32,27],"class_list":["post-265374","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-linux","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265374"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=265374"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265374\/revisions"}],"predecessor-version":[{"id":265377,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265374\/revisions\/265377"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/265376"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=265374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=265374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=265374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}