New Gafgyt Variant Targets Multiple Linux Architectures

A newly identified variant of the Gafgyt botnet malware, dubbed C0XMO, has been quietly spreading. It targets Linux-based devices by exploiting a known vulnerability in DD-WRT router firmware.

The malware exploits a stack buffer overflow flaw in the UPnP service of affected routers, letting attackers gain full access without any credentials. Once inside, it works to actively recruit the compromised device into a rapidly growing botnet network.

What sets C0XMO apart from earlier Gafgyt versions is its modular design and ability to target multiple Linux processor architectures at once.

Attackers built the malware to compile and deliver architecture-specific payloads, giving it a broader reach than most IoT-targeting threats seen before. It also includes Python-based scanning scripts that help it move laterally across networks and locate new targets automatically.

Analysts from Fortinet’s FortiGuard Labs identified and analyzed the C0XMO variant, with a report shared with Cyber Security News (CSN).

According to FortiGuard Labs, the malware was first discovered in March and has since been observed actively exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of certain DD-WRT router firmware.

The flaw is triggered when an oversized ST:uuid value is sent in a crafted M-SEARCH request over UDP port 1900.

The broader impact of C0XMO is still being assessed, but the threat is significant given how widely DD-WRT firmware is deployed across home offices and small businesses worldwide.

Attackers are not only targeting routers — the malware also attempts to exploit exposed Android Debug Bridge connections to take over Android devices. This cross-platform approach signals growing sophistication among IoT botnet operators.

Beyond its primary attack path, C0XMO can launch distributed denial-of-service attacks once a device is recruited.

It also leverages CVEs targeting D-Link devices, GLPI project software, and Avtech DVR cameras, widening the attack surface considerably. Security teams managing mixed device environments should treat this threat as active and ongoing.

New Gafgyt Variant Targets Multiple Linux Architectures

One of the most technically notable aspects of C0XMO is how it separates lateral movement into a standalone Python script.

This design lets the botnet scan and probe networks independently of the main malware body, making it more flexible and harder to detect. The script identifies reachable hosts and determines the target’s architecture before delivering the appropriate payload.

The malware targets a range of Linux architectures including ARM, MIPS, and x86, covering routers, IoT sensors, and embedded devices broadly.

For each type, it downloads and executes the correct compiled binary, letting the botnet grow across different hardware in a single campaign.

This modular, multi-architecture design was previously more common among advanced threat actors, and its presence in an IoT botnet marks a clear escalation.

Fortinet researchers also observed the malware connecting to a command-and-control server after infection, waiting for DDoS commands and expansion orders.

The scanning modules run continuously in the background, identifying new devices and forwarding details to operators. Brute-force authentication attempts against reachable services were also noted as part of its traversal routine.

Exploitation of Known CVEs and Defensive Recommendations

C0XMO’s success depends on known, unpatched vulnerabilities that have had available fixes for some time. CVE-2021-27137 in DD-WRT, CVE-2015-2051 in D-Link devices, CVE-2022-35914 in GLPI project software, and multiple Avtech DVR camera flaws are all part of its exploit toolkit.

The persistence of these flaws reflects how slowly patching tends to happen across the IoT space. Users running affected devices should prioritize firmware updates right away.

Disabling UPnP on DD-WRT routers where it is not needed eliminates the primary entry point C0XMO relies on. Blocking external access to UDP port 1900 with firewall rules can also reduce exposure considerably.

Monitoring network traffic is equally important for catching infections early. Unusual outbound connections, unexpected UDP traffic spikes on port 1900, and brute-force login attempts are all signs of possible compromise.

Security teams should focus attention on older and unmanaged IoT devices, which often remain unpatched and make ideal targets for campaigns like this one.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.