A newly discovered Gafgyt botnet variant, dubbed C0XMO, is actively targeting Linux-based IoT devices by exploiting known vulnerabilities in widely deployed router firmware.
Security researchers from Fortinet’s FortiGuard Labs have identified the malware exploiting CVE-2021-27137, a critical stack buffer overflow in the UPnP service of DD-WRT routers, to gain unauthorized access without requiring credentials.
With its modular design and ability to infect multiple architectures, the campaign marks a significant evolution in IoT-focused malware and highlights ongoing risks tied to unpatched devices.
Key Details
The C0XMO variant was first detected in March 2026 and has since demonstrated aggressive propagation across vulnerable networks.
Key attack characteristics include:
- Exploitation of UDP port 1900 (UPnP service)
- Targeting DD-WRT routers widely used in home and SMB environments
- Cross-platform infection, including Linux and Android systems
Additionally, the malware is not limited to a single vulnerability. It incorporates an expanded exploit toolkit targeting:
- CVE-2015-2051 (D-Link devices)
- CVE-2022-35914 (GLPI project software)
- Multiple Avtech DVR vulnerabilities
This multi-vector approach significantly increases the malware’s attack surface and infection potential.
Technical Analysis
Exploitation Mechanism
The primary infection vector leverages CVE-2021-27137, triggered by sending a crafted M-SEARCH request containing an oversized ST:uuid field to the UPnP service.
This results in a stack buffer overflow, enabling attackers to execute arbitrary code on targeted devices without authentication.
Modular Architecture and Multi-Platform Reach
Unlike earlier Gafgyt variants, C0XMO introduces a modular propagation model, separating key functions into independent components.
A critical feature is its ability to target multiple Linux architectures, including:
- ARM (common in routers and IoT devices)
- MIPS (embedded systems)
- x86 (servers and endpoints)
For each detected device, the malware delivers a custom ELF binary compiled specifically for that architecture.
Python-Based Lateral Movement
C0XMO includes a standalone Python scanning script that:
- Continuously scans networks for vulnerable hosts
- Identifies system architecture
- Launches targeted payload delivery
This separation of scanning and execution improves flexibility and persistence while making detection more difficult.
Command-and-Control Communication
Once installed, infected devices connect to command-and-control (C2) servers, including:
- 216.131.80.130
- 216.131.80.150
- 216.131.80.119
The botnet then:
- Waits for DDoS commands
- Shares discovered targets
- Initiates brute-force login attempts
Cross-Platform Expansion via ADB
The malware also exploits exposed Android Debug Bridge (ADB) services, enabling it to:
- Compromise Android devices
- Extend botnet capabilities beyond traditional IoT hardware
MITRE ATT&CK Mapping
Relevant techniques include:
- T1190 – Exploit Public-Facing Application
- T1046 – Network Service Scanning
- T1105 – Ingress Tool Transfer
- T1498 – Network Denial of Service (DDoS)
Impact and Risks
Widespread IoT Exposure
DD-WRT firmware is used globally across:
- Home routers
- Small business networks
- Embedded devices
Unpatched systems remain highly vulnerable, making this campaign particularly dangerous at scale.
Botnet Amplification and DDoS Threats
Once compromised, devices become part of a distributed botnet, capable of launching:
- Large-scale DDoS attacks
- Network scanning campaigns
- Credential-based attacks
Enterprise Risk from Unmanaged Devices
Organizations with poorly monitored or legacy IoT assets face increased risk of:
- Undetected infections
- Lateral movement within networks
- Infrastructure abuse
Expert Recommendations
1. Patch Vulnerabilities Immediately
- Update DD-WRT firmware to address CVE-2021-27137
- Patch all affected devices, including D-Link, GLPI, and Avtech systems
2. Disable UPnP Where Possible
- Turn off UPnP services if not required
- Reduce attack surface on routers
3. Restrict Network Exposure
- Block UDP port 1900 externally
- Secure or disable exposed ADB services
4. Monitor Network Behavior
- Watch for:
- Unusual UDP traffic
- Unexpected outbound connections
- Brute-force login attempts
5. Segment IoT Devices
- Isolate IoT networks from critical systems
- Apply zero-trust network principles
6. Deploy Threat Detection Tools
- Use IDS/IPS and EDR solutions
- Enable behavioral monitoring for anomalous activity
Industry Context
The emergence of C0XMO reflects a broader shift toward more advanced IoT botnet malware.
Historically, Gafgyt and similar botnets targeted single platforms with relatively simple propagation. However, modern variants are incorporating:
- Multi-architecture payload delivery
- Modular design for scalability
- Cross-platform infection vectors
This trend aligns with a broader surge in IoT-based cyberattacks, as attackers capitalize on:
- Weak patch management
- Default configurations
- Limited visibility into device behavior
The inclusion of known, long-patched CVEs also underscores a persistent challenge: patching latency in IoT environments remains a critical vulnerability.
Conclusion
The C0XMO variant represents a significant step forward for Gafgyt malware, combining modular design, multi-platform targeting, and aggressive propagation techniques.
As IoT ecosystems continue to expand, so does the attack surface. Organizations must prioritize visibility, patching, and segmentation to defend against these evolving threats.
In the era of interconnected devices, every unpatched node is a potential entry point into a larger attack network.
FAQ SECTION
1. What is the C0XMO Gafgyt variant?
C0XMO is a new version of the Gafgyt botnet malware that targets Linux-based IoT devices using multiple vulnerabilities and modular propagation techniques.
2. Which vulnerability does it exploit?
The primary vulnerability is CVE-2021-27137, affecting the UPnP service in DD-WRT routers.
3. What devices are at risk?
Routers, IoT sensors, DVR cameras, and even Android devices with exposed ADB services are at risk.
4. What does the malware do after infection?
It adds devices to a botnet, enabling DDoS attacks, network scanning, and further propagation.
5. How can organizations defend against this threat?
By patching vulnerabilities, disabling UPnP, restricting network access, monitoring traffic, and segmenting IoT devices.
