June 5, 2026 — A new variant of the Gafgyt botnet family, dubbed C0XMO, is expanding its footprint across Linux devices by weaponizing a DD-WRT firmware vulnerability known since 2021. According to a report cited by GBHackers and attributed to FortiGuard Labs, the operator delivers the payload via UDP M-SEARCH packets with oversized ST:uuid: values, exploiting the stack buffer overflow in the UPnP SSDP parser identified as CVE-2021-27137. A Japanese technology firm is the immediate documented target, with infection traffic originating from an IP address in Germany.
- C0XMO is a Gafgyt variant that exploits CVE-2021-27137 in DD-WRT firmware to infiltrate Linux-based routers.
- The architecture decouples the bot binary—compiled for seven CPU architectures—from an independent Python scanner hosted on an external server.
- Persistence is established in four stages: auto-copying to hidden paths, permission modification, a 15-minute cron job, and profile file modification.
- C0XMO implements competitor-removal routines: it enumerates /proc, terminates blacklisted processes, and deletes binaries from rival malware families.
- The bot supports 19 DDoS methods and verifies its own PID and executable name to prevent self-deletion.
CVE-2021-27137: The Entry Vector for DD-WRT
CVE-2021-27137 is a stack buffer overflow in the UPnP SSDP parser of the DD-WRT firmware. Exploitation occurs via UDP M-SEARCH packets with oversized ST:uuid: values, which overwrite the memory of the vulnerable process. This vector enables remote code execution on exposed routers, typically those with the UPnP service active on WAN interfaces or accessible network segments.
The report cited by GBHackers documents a specific case: a Japanese technology firm was targeted, with infection traffic originating from an IP in Germany. This geographically distributed pattern is consistent with botnet operations utilizing C2 infrastructure positioned in jurisdictions separate from the final target.
Modular Architecture: Decoupled Bot Binary and Scanner
The analysis cited by GBHackers describes an architecture that deviates from the traditional monolithic model of IoT botnets. The bot binary, compiled for ARM, MIPS, PowerPC, SuperH, MC68000, Intel 80386, and AMD64, manages persistence, processes, and C2 communication. Discovery and lateral movement are delegated to a standalone Python scanner hosted at 217[.]160[.]125[.]125:15527, which requires the requests, paramiko, and beautifulsoup4 packages.
"The main bot binary focuses on persistence, process management, and C2 interaction, while an independent Python scanner handles discovery and lateral movement."
The scanner includes approximately 22 functions organized into workers, blacklists, Telnet, SSH, HTTP exploit, and ADB exploit modules. The HTTP vectors cover CVE-2021-27137 (UPnP SOAP injection on DD-WRT), CVE-2022-35914 (GLPI), and CVE-2025-34054 (AVTECH), alongside other mechanisms not specified in the report. The source does not clarify whether this architectural separation represents an innovation over previous Gafgyt variants.
Four-Stage Persistence and Device Control
Once executed, C0XMO triggers a persistence sequence structured into four phases. The binary auto-copies itself to hidden paths, modifies permissions to restrict external access, installs a cron job that triggers every 15 minutes, and modifies profile files to ensure execution persists after a reboot.
Communication with command-and-control servers occurs via a custom handshake using fixed magic strings and a shared secret; the bot identifies itself as "BOT." The identified C2s are 85[.]215[.]131[.]70 and 217[.]160[.]125[.]125, the latter also hosting the Python scanner.
The bot supports 19 DDoS methods, ranging from UDP/TCP floods and SYN attacks to NTP/memcached amplification, HTTPStorm, Valve Source Engine, and Discord voice floods. This variety of primitives indicates an arsenal designed to adapt to diverse network conditions and attack targets.
Competitor-Killing: The War for Compromised Device Resources
The most aggressive hallmark of C0XMO is its competitor-removal routine. The malware enumerates the /proc directory, compares process names against an internal blacklist, and immediately terminates any matches. It subsequently deletes binaries and persistence artifacts linked to other malware families. The bot verifies its own PID and executable name to avoid self-termination.
This behavior signals a mature criminal market where competition for the computational resources of compromised devices has become direct. The infected device is treated as territory to be monopolized rather than a simple resource to be shared. Whether the competitor-killing routine is an innovation unique to C0XMO or inherited from earlier Gafgyt variants is not documented in the brief.
Mitigation and Response
Network operators managing devices with DD-WRT firmware must verify the update status of their installed base, with particular attention to the UPnP SSDP service exposed over UDP. The source does not specify if CVE-2021-27137 has been patched across all vulnerable DD-WRT versions.
The presence of the scanner on 217[.]160[.]125[.]125:15527 and the use of Python packages such as requests, paramiko, and beautifulsoup4 are detectable elements for those with adequate network visibility. The brief does not document public indicators of compromise beyond the provided hashes, nor does it quantify the current size of the C0XMO botnet.
The specific threat actor behind the operation has not been identified, and the attribution to FortiGuard Labs remains mediated by the report cited by GBHackers, without verifiable access to the original document. The source does not specify the nature of the data exposed on compromised devices, nor whether there are DD-WRT versions immune to the documented UPnP SSDP vector.
Analysis: An Evolving Ecosystem
The architectural model of C0XMO—separating the compiled core from a scripted scanner—lowers the cost of adapting to new vulnerabilities. The operator can expand the botnet's reach by updating the Python module without recompiling for seven different architectures. This flexibility, combined with the competitor-killing routine, indicates that IoT botnets are entering a phase of specialization and competition that requires more granular monitoring of the router-level attack surface.
The variety of supported architectures—seven in total—reflects an intent to maximize the footprint across heterogeneous embedded devices, from home routers to legacy industrial systems. C0XMO’s ability to eliminate rival malware and consolidate exclusive control over a device represents an escalation in the logic of competition between botnet operators, where persistence is no longer enough: supremacy is required.
Information is based on the report cited by GBHackers and is current as of the time of publication.
Information is based on the cited source and is current as of the time of publication.
Sources
- https://cvefeed.io/newsroom/latest
- https://gbhackers.com/gafgyt-variant-targets-linux/
- https://nvd.nist.gov/vuln/detail/CVE-2025-20393
- https://nvd.nist.gov/vuln/detail/CVE-2026-41940
- https://nvd.nist.gov/vuln/detail/CVE-2026-20182
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments