Gafgyt

Gafgyt, also widely referred to as Bashlite, is a Linux/IoT botnet malware family used to compromise internet-exposed embedded devices and other Linux-based systems for distributed denial-of-service activity and related botnet operations. The content describes it as part of the long-running IoT botnet ecosystem also referred to in reporting as Bashlite, Lizkebab, Torlus, Qbot, Remaiten, and related names, though Gafgyt/Bashlite is the most directly supported family name here. It commonly spreads through weak-credential brute forcing of Telnet and SSH and through exploitation of known vulnerabilities in routers, DVRs, cameras, and enterprise-facing appliances. Reported Gafgyt activity in the content includes exploitation of CVE-2021-27137 in vulnerable DD-WRT firmware, CVE-2023-1389 in TP-Link Archer AX21 routers, CVE-2018-9866 in older SonicWall GMS versions, and abuse of VMware Workspace ONE Access/Identity Manager CVE-2022-22954 to deploy Gafgyt payloads. One analyzed Bashlite infection on CCTV cameras was described as an ARM Linux variant also known as Lightaidra or GayFgt.

A detailed 2026 example in the content is the Gafgyt variant C0XMO. FortiGuard Labs reported that C0XMO exploited CVE-2021-27137, a stack buffer overflow in DD-WRT UPnP triggered via crafted SSDP M-SEARCH requests to UDP/1900, and targeted a Japanese technology firm. After compromise, the malware was downloaded into /tmp/.cache and samples were observed for multiple Linux architectures including ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80386, and AMD64. C0XMO established persistence by copying itself to hidden paths such as /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, and optionally $HOME/.sys, setting mode 755, creating cron jobs every 15 minutes, appending execution commands to ~/.profile, ~/.bashrc, and ~/.bash_profile, and re-executing itself if terminated. It also killed competing malware and removed rival persistence artifacts including cron jobs, rc.local entries, init.d services, system services, and shell profile modifications.

The same C0XMO reporting states that the bot connected to C2 85[.]215[.]131[.]70 using a custom handshake containing the magic string 669787761736865726500, shared secret FS2@SA__=A23cAxs3S3@23AF@A3454DFSA0D, a BOT identifier, and trailing bytes FF FF FF FF 75. It supported heartbeat and command handling including ping, stop, scan, stopscan, and attack commands, replying with PONG to ping. The malware supported 19 DDoS methods including UDP floods, TCP floods, SYN floods, NTP amplification, Memcached amplification, ICMP floods, Ping of Death, and multiple HTTP flood variants. Its standalone Python scanner was downloaded from 217[.]160[.]125[.]125:15527, installed requests, paramiko, and beautifulsoup4, scanned ports including 23, 22, 80, 443, 8080, 5555, 5511, 5554, 4443, 81, 8000, 7547, 8081, 8443, and 8888, used blacklist.txt and failed.txt to avoid honeypots and prior failures, brute-forced Telnet and SSH, exploited multiple HTTP vulnerabilities, and abused exposed Android Debug Bridge services to compromise Android-based devices.

Other Gafgyt capabilities directly mentioned in the content include maintaining persistent C2 connections, downloading and executing Linux binaries, scanner commands for HUAWEI, GPON, D-LINK, and SONICWALL targets, BIN_UPDATE functionality to fetch updates from HTTP servers, and a BN command for Blacknurse DDoS attacks. Reporting also notes Gafgyt variants in broader botnet exploitation waves against TP-Link routers and VMware appliances, and use in DDoS campaigns observed during Russia-Ukraine conflict-related activity. The content also references Gafgyt-derived or Gafgyt-related operations such as Enemybot and Zyre/zyreBot-based AncientNET, but those are described as variants or code-sharing descendants rather than the core family itself.

High-confidence indicators and artifacts explicitly mentioned in the content include C0XMO-related infrastructure 85[.]215[.]131[.]70, 217[.]160[.]125[.]125:15527, and 176[.]100[.]37[.]91; malware paths /tmp/.cache, /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys; Fortinet detections ELF/Gafgyt.SORA!tr, ELF/Gafgyt.C0MOX!tr, and Python/Gafgyt.C0MOX!tr; and reported C0XMO hashes including 444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211, 9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59, 450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d, d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b, 20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a136, 7413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1f, b6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4, b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799, dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9, and ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8.