C0XMO
C0XMO is a Gafgyt botnet variant discovered by FortiGuard Labs in March 2026. It spreads by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT firmware triggered via crafted SSDP M-SEARCH requests over UDP port 1900, and was observed compromising routers and other Linux-based devices. Fortinet reported an observed attack against a Japanese technology firm, with source IP activity traced to Germany. After compromise, the malware was downloaded into /tmp/.cache.
A notable characteristic of C0XMO is its modular design: unlike earlier Gafgyt variants, it separates lateral movement and scanning into a standalone Python script, improving propagation across heterogeneous devices and CPU architectures. Samples were reported for ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80386/80836, and AMD64 Linux architectures.
For persistence, C0XMO copies itself to hidden paths including /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, and optionally $HOME/.sys, sets permissions to 755, creates cron jobs to execute every 15 minutes, appends execution commands to ~/.profile, ~/.bashrc, and ~/.bash_profile, and can re-execute itself if terminated. It also scans /proc for running processes, kills processes matching an internal blacklist, deletes matching executables, and removes competing botnets' persistence artifacts including cron jobs, rc.local entries, init.d services, system services, and shell profile scripts.
After establishing persistence, C0XMO connects to a C2 server at 85[.]215[.]131[.]70 using a custom handshake containing the magic string 669787761736865726500, the shared secret FS2@SA__=A23cAxs3S3@23AF@A3454DFSA0D, a BOT identifier, and the final hexadecimal sequence FF FF FF FF 75. The malware supports ping, stop, scan, stopscan, and attack-related commands, responds with PONG as a heartbeat, and implements 19 DDoS attack methods including UDP floods, TCP floods, SYN floods, NTP amplification, Memcached amplification, ICMP floods, Ping of Death, and multiple HTTP flood variants.
Its standalone scanner is downloaded from 217[.]160[.]125[.]125:15527, which also distributes the main binary. The scanner installs requests, paramiko, and beautifulsoup4; performs random IP scanning across ports 23, 22, 80, 443, 8080, 5555, 5511, 5554, 4443, 81, 8000, 7547, 8081, 8443, and 8888; and uses blacklist.txt and failed.txt to avoid honeypots, research institutions, known bot nodes, and previously unsuccessful targets. Propagation methods include weak-credential brute forcing against Telnet and SSH, deployment of architecture-specific payloads, exploitation of multiple HTTP vulnerabilities including CVE-2021-27137, CVE-2015-2051, CVE-2022-35914, CVE-2025-34054, and CVE-2016-15047, as well as abuse of exposed Android Debug Bridge services to compromise Android-based devices.
Reported campaign infrastructure includes 217[.]160[.]125[.]125:15527, 176[.]100[.]37[.]91, and 85[.]215[.]131[.]70. Fortinet stated that FortiGuard Antivirus detects related samples as ELF/Gafgyt.SORA!tr, ELF/Gafgyt.C0MOX!tr, ELF/Mirai.EGX!tr, and Python/Gafgyt.C0MOX!tr.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The scanner also includes numerous HTTP-based exploits for initial access, including... HNAP SOAP Injection (CVE-2015-2051). | This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.
The scanner also includes numerous HTTP-based exploits for initial access, including... AVTECH DVR Vulnerability (CVE-2025-34054, CVE-2016-15047). | This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.
The scanner also includes numerous HTTP-based exploits for initial access, including... GLPI htmLawed RCE (CVE-2022-35914). | This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.
The scanner also includes numerous HTTP-based exploits for initial access, including... AVTECH DVR Vulnerability (CVE-2025-34054, CVE-2016-15047). | This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.
FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137... The threat actor delivered the malware by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions. | This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThe scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.
In addition, the scanner exploits unauthorized access vulnerabilities in the Android Debug Bridge (ADB) to compromise exposed Android-based devices.
The threat actor delivered the malware by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions.
Execution
3 techniquesUnlike traditional botnets, C0XMO isolates its scanning function into an independent Python script. The malware fetches this script from the same IP address and port... C0XMO then executes the scanner script with the following arguments. python3 /tmp/scanner.py --rand ...
The malware is delivered through a stack buffer overflow in vulnerable DD-WRT router firmware, triggered by malicious SSDP M-SEARCH requests sent to UDP port 1900.
Persistence
4 techniquesC0XMO appends execution commands to multiple shell profile files such as ~/.profile, ~/.bashrc, and ~/.bash_profile, using the hidden files created earlier.
The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.
Privilege Escalation
3 techniquesC0XMO appends execution commands to multiple shell profile files such as ~/.profile, ~/.bashrc, and ~/.bash_profile, using the hidden files created earlier.
Stealth
5 techniquesIt then generates multiple hidden file paths, including /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys.
If it finds a match, C0XMO deletes the corresponding file from the system.
The scanner performs weak password brute-force attacks on Telnet and SSH services. After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.
The malware installs several required packages, including requests, paramiko, and beautifulsoup4. pip3 install requests paramiko beautifulsoup4 ... || python3 -m pip install requests paramiko beautifulsoup4
Defense Impairment
1 techniqueC0XMO copies itself to these hidden locations and sets the file permissions to 755, enabling execution.
Credential Access
1 techniqueC0XMO exhibits many traits typical of Gafgyt variants, including weak-credential brute-force attacks targeting Telnet and SSH.
Discovery
4 techniquespython3 /tmp/scanner.py --rand --rand-ports 23,22,80,443,8080,5555,5511,5554,4443,81,8000,7547,8081,8443,8888
The malware scans all active processes in /proc, comparing their names to an internal blacklist. If a process name matches an entry on the blacklist, C0XMO immediately terminates that process.
The malware scans all active processes in /proc, comparing their names to an internal blacklist.
Lateral Movement
3 techniquesThese packages are primarily used for network communication, including sending HTTP requests, receiving responses, and performing SSH- and Telnet-based interactions.
Its main goal is to enable lateral movement.
After successful authentication, it identifies the target host’s architecture and downloads the appropriate payload.
Command and Control
3 techniquesAfter completing the local persistence setup, C0XMO establishes a connection to the C2 server at 85[.]215[.]131[.]70.
In the final stage of the handshake, the bot sends the hexadecimal sequence FF FF FF FF 75 as the final magic value to the C2 server.
The compromised host downloaded the malware to /tmp/.cache.
Impact
2 techniquesOther
1 techniqueIf a process name matches an entry on the blacklist, C0XMO immediately terminates that process... It not only deletes rival malware binaries but also tries to remove associated persistence mechanisms such as cron jobs, rc.local, init.d services, system services, and shell profile scripts.
IOCs tracked for this family
18 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A new Gafgyt botnet variant that propagates by exploiting CVE-2021-27137 in vulnerable DD-WRT router firmware via malicious SSDP M-SEARCH requests to UDP port 1900. It uses a separate Python script for lateral movement and includes samples compiled for multiple Linux architectures.
A Gafgyt botnet variant targeting Linux and IoT devices. It establishes persistence, kills competing malware and tools, connects to a C2 server using a custom handshake, supports multiple DDoS attack methods, and uses a separate Python scanner for lateral movement via Telnet, SSH, HTTP exploits, and exposed ADB.
A Gafgyt botnet variant targeting Linux-based and IoT devices. It establishes persistence, kills competing malware and tools, connects to a C2 server using a custom handshake, performs weak-credential brute force against Telnet and SSH, downloads a separate Python scanner for lateral movement, exploits multiple HTTP-exposed vulnerabilities and ADB exposure, and supports 19 DDoS attack methods.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.