CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 05, 2026

New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation

Cybersecurity News Archived Jun 05, 2026 ✓ Full text saved

A newly discovered variant of the Gafgyt botnet malware, named C0XMO, has been quietly spreading across Linux-based devices by targeting a known vulnerability in DD-WRT router firmware. The malware exploits a stack buffer overflow flaw in the UPnP service of affected routers, letting attackers gain full access without any credentials. Once inside, it works to […] The post New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation By Tushar Subhra Dutta June 5, 2026 A newly discovered variant of the Gafgyt botnet malware, named C0XMO, has been quietly spreading across Linux-based devices by targeting a known vulnerability in DD-WRT router firmware. The malware exploits a stack buffer overflow flaw in the UPnP service of affected routers, letting attackers gain full access without any credentials. Once inside, it works to actively recruit the compromised device into a rapidly growing botnet network. What sets C0XMO apart from earlier Gafgyt versions is its modular design and ability to target multiple Linux processor architectures at once. Attackers built the malware to compile and deliver architecture-specific payloads, giving it a broader reach than most IoT-targeting threats seen before. It also includes Python-based scanning scripts that help it move laterally across networks and locate new targets automatically. Analysts from Fortinet’s FortiGuard Labs identified and analyzed the C0XMO variant, with a report shared with Cyber Security News (CSN). According to FortiGuard Labs, the malware was first discovered in March and has since been observed actively exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of certain DD-WRT router firmware. The flaw is triggered when an oversized ST:uuid value is sent in a crafted M-SEARCH request over UDP port 1900. The broader impact of C0XMO is still being assessed, but the threat is significant given how widely DD-WRT firmware is deployed across home offices and small businesses worldwide. Attackers are not only targeting routers — the malware also attempts to exploit exposed Android Debug Bridge connections to take over Android devices. This cross-platform approach signals growing sophistication among IoT botnet operators. Beyond its primary attack path, C0XMO can launch distributed denial-of-service attacks once a device is recruited. It also leverages CVEs targeting D-Link devices, GLPI project software, and Avtech DVR cameras, widening the attack surface considerably. Security teams managing mixed device environments should treat this threat as active and ongoing. New Gafgyt Variant Targets Multiple Linux Architectures One of the most technically notable aspects of C0XMO is how it separates lateral movement into a standalone Python script. This design lets the botnet scan and probe networks independently of the main malware body, making it more flexible and harder to detect. The script identifies reachable hosts and determines the target’s architecture before delivering the appropriate payload. The malware targets a range of Linux architectures including ARM, MIPS, and x86, covering routers, IoT sensors, and embedded devices broadly. Sequence diagram of the C0XMO custom handshake (Source – Fortinet) For each type, it downloads and executes the correct compiled binary, letting the botnet grow across different hardware in a single campaign. This modular, multi-architecture design was previously more common among advanced threat actors, and its presence in an IoT botnet marks a clear escalation. Fortinet researchers also observed the malware connecting to a command-and-control server after infection, waiting for DDoS commands and expansion orders. The scanning modules run continuously in the background, identifying new devices and forwarding details to operators. Brute-force authentication attempts against reachable services were also noted as part of its traversal routine. Exploitation of Known CVEs and Defensive Recommendations C0XMO’s success depends on known, unpatched vulnerabilities that have had available fixes for some time. CVE-2021-27137 in DD-WRT, CVE-2015-2051 in D-Link devices, CVE-2022-35914 in GLPI project software, and multiple Avtech DVR camera flaws are all part of its exploit toolkit. The persistence of these flaws reflects how slowly patching tends to happen across the IoT space. Users running affected devices should prioritize firmware updates right away. Executing the scanner script (Source – Fortinet) Disabling UPnP on DD-WRT routers where it is not needed eliminates the primary entry point C0XMO relies on. Blocking external access to UDP port 1900 with firewall rules can also reduce exposure considerably. Monitoring network traffic is equally important for catching infections early. Unusual outbound connections, unexpected UDP traffic spikes on port 1900, and brute-force login attempts are all signs of possible compromise. Security teams should focus attention on older and unmanaged IoT devices, which often remain unpatched and make ideal targets for campaigns like this one. Indicators of Compromise (IoCs):- Type Indicator Description CVE CVE-2021-27137 DD-WRT UPnP stack buffer overflow via crafted M-SEARCH request over UDP port 1900 CVE CVE-2015-2051 D-Link devices HNAP SOAPAction-Header command execution vulnerability CVE CVE-2022-35914 GLPI-Project GLPI htmLawedTest.php code injection vulnerability CVE CVE-2016-15047 Avtech DVR Camera authentication bypass and command execution exploit CVE CVE-2025-34054 Avtech DVR Camera authentication bypass and command execution exploit IP Address 216.131.80.130 C2 server used by C0XMO botnet for command and control communication IP Address 216.131.80.150 C2 server used by C0XMO botnet for command and control communication IP Address 216.131.80.119 C2 server used by C0XMO botnet for command and control communication IP Address 216.131.80.119.199.99 Associated C2 infrastructure observed during campaign Network Indicator UDP port 1900 Port targeted via crafted M-SEARCH UPnP requests for initial exploitation Protocol/Service Android Debug Bridge (ADB) Exploited to compromise exposed Android devices as part of cross-platform propagation File Type ELF binary (multi-arch) Compiled payloads targeting ARM, MIPS, and x86 Linux architectures Script Python lateral movement script Standalone Python script used for network scanning and multi-architecture propagation Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication Hackers Attacking Signal Users to Steal Backups in New Wave of Attacks Let’s Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats Latest News Cyber Security News New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets Cyber Security News Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users Cyber Security News Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains Cyber Security News Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances Cyber Security News VECT 2.0 Ransomware Can Damage Files Its Own Decryptor Cannot Reliably Restore
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 05, 2026
    Archived
    Jun 05, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗