Tracking Gafgyt C0XMO: How a New Malware Variant Spreads Across Platforms

A newly identified Gafgyt botnet variant, C0XMO, is actively targeting internet-exposed devices through a combination of vulnerability exploitation, weak-credential attacks, and automated lateral movement. Unlike traditional Gafgyt campaigns, C0XMO separates its propagation logic into a dedicated Python-based scanner, enabling it to compromise a wider range of architectures and device types while scaling infections more efficiently.

Discovered by FortiGuard Labs in March 2026, the malware was initially observed exploiting vulnerable DD-WRT routers before deploying multi-architecture payloads capable of infecting ARM, MIPS, PowerPC, SuperH, x86, and x64 systems. This modular design marks a significant evolution in Gafgyt's operational capability and propagation strategy.

Gafgyt is a long-running IoT malware family primarily associated with botnet operations and distributed denial-of-service (DDoS) attacks. Since its emergence, numerous variants have targeted internet-facing devices through credential attacks and exploitation of embedded device vulnerabilities.

C0XMO represents a notable evolution of the malware family. Unlike conventional Gafgyt variants where scanning and exploitation functionality is tightly integrated into the bot, C0XMO introduces a dedicated Python propagation framework that independently scans, exploits, and deploys malware across multiple platforms. This separation allows operators to update propagation methods without modifying the primary bot payload while supporting infections across a broader range of hardware architectures.

Phase 1: Initial Exploitation: Attackers exploit CVE-2021-27137 in vulnerable DD-WRT routers by sending specially crafted SSDP M-SEARCH requests to UDP port 1900. Successful exploitation results in remote code execution and malware deployment.

Phase 2: Multi-Architecture Payload Delivery: The compromised device downloads a payload appropriate for its CPU architecture. Samples observed include ARM, MIPS, PowerPC, SuperH, Intel x86, and AMD64 variants, enabling infections across a diverse range of embedded systems.

Phase 3: Persistence Establishment: C0XMO copies itself into hidden directories including: /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, $HOME/.sys. The malware creates cron jobs that execute every 15 minutes and modifies shell startup files such as .bashrc, .profile, and .bash_profile to ensure execution after system reboots.

Phase 4: Competitor Removal: The malware scans active processes and terminates known botnets, security tools, administrative utilities, and competing malware families. It also removes associated persistence mechanisms, including cron jobs and startup scripts, to monopolize system resources.

Phase 5: Command-and-Control Registration: After persistence is established, C0XMO connects to its command-and-control infrastructure and performs a custom multi-stage handshake. Once registered, the infected host becomes an active botnet node capable of receiving operational commands.

Phase 6: Scanner Deployment: Unlike traditional Gafgyt variants, C0XMO downloads a separate Python scanner from attacker-controlled infrastructure. The scanner installs networking and automation libraries including: requests, paramiko, beautifulsoup4. The scanner then begins large-scale internet scanning operations.

C2 Infrastructure – 85[.]215[.]131[.]70

Malware Distribution Server – 217[.]160[.]125[.]125:15527

Associated Host – 176[.]100[.]37[.]91

Vulnerable DD-WRT Router Exposed to Internet → CVE-2021-27137 Exploited via SSDP M-SEARCH Request → Architecture-Specific C0XMO Binary Downloaded → Hidden Files Created in System Directories → Cron Jobs and Shell Startup Scripts Modified → Competing Malware Removed → Connection Established to C2 Infrastructure → Python Scanner Downloaded → Random Internet Scanning Initiated → Telnet, SSH, HTTP and ADB Exploitation Attempts Executed → Target Architecture Identified → Matching Binary Deployed → New Device Added to Botnet → DDoS Capability Activated → Continuous Cross-Platform Propagation

1. Patch DD-WRT devices and all internet-facing embedded systems immediately.

2. Disable unnecessary services including UPnP, Telnet, and exposed ADB access.

3. Replace default and weak credentials with strong unique passwords.

4. Monitor outbound connections to unknown IP addresses and unusual scanning behavior.

5. Audit cron jobs, shell startup files, and hidden executable locations for persistence.

6. Segment IoT and embedded devices from critical enterprise infrastructure.

Saner patch management is a continuous, automated, and integrated solution that instantly fixes risks exploited in the wild. It supports major operating systems, including Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.