MalwareExploits 1 CVE

COXMO

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2021-27137Unauthenticated stack buffer overflow in DD-WRT UPnP SSDP parserExploited in the wild

For example, the campaign frequently exploits an established stack buffer overflow flaw found in common router firmware. This specific vulnerability is tracked globally as CVE-2021-27137. As detailed in the official FortiGuard Labs threat documentation: “The vulnerability occurs when the SSDP parser mishandles oversized ST:uuid: values in specially crafted M-SEARCH requests sent via UDP port 1900.” | Malware analysts discovered a novel COXMO botnet variant circulating actively within the threat landscape.

via security online infosecurityonline.info

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

the threat actors achieve initial access by targeting older software vulnerabilities... the campaign frequently exploits an established stack buffer overflow flaw found in common router firmware. This specific vulnerability is tracked globally as CVE-2021-27137

Execution

2 techniques

T1053.003CronEvidence1

To maintain continuous operational control, the malware configures a series of automated cron tasks. Specifically, the code schedules these local cron jobs to run every 15 minutes

T1059.004Unix ShellEvidence1

the virus appends execution commands directly to several shell profile files, such as .bashrc and .profile

Persistence

1 technique

T1053.003CronEvidence1

To maintain continuous operational control, the malware configures a series of automated cron tasks. Specifically, the code schedules these local cron jobs to run every 15 minutes

Privilege Escalation

1 technique

T1053.003CronEvidence1

To maintain continuous operational control, the malware configures a series of automated cron tasks. Specifically, the code schedules these local cron jobs to run every 15 minutes

Stealth

1 technique

T1564.001Hidden Files and DirectoriesEvidence1

it generates multiple hidden files across temporary storage areas like /tmp/.sys and /dev/shm/.sys

Discovery

3 techniques

T1046Network Service DiscoveryEvidence1

the application fetches an independent Python script... Next, the script initiates multi-threaded background scanning routines across randomized public IP addresses

T1057Process DiscoveryEvidence1

the program scans all running processes inside the native /proc directory. It then compares every active process name against a heavily customized internal blocklist

T1083File and Directory DiscoveryEvidence1

the program scans all running processes inside the native /proc directory

Lateral Movement

1 technique

T1210Exploitation of Remote ServicesEvidence1

the script initiates multi-threaded background scanning routines across randomized public IP addresses... deploys a broad suite of dangerous exploits to compromise secondary endpoints. These targets include vulnerable routers, database platforms, and exposed Android Debug Bridge interfaces

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

the bot establishes an outbound network connection to its command server... Following a successful greeting exchange, the endpoint running the COXMO botnet variant enters an interactive tasking loop to await instruction

T1105Ingress Tool TransferEvidence1

once the attack succeeds, the compromised host downloads a payload compiled for the system’s exact CPU architecture... the application fetches an independent Python script from its hosting infrastructure to manage lateral movement

Impact

2 techniques

T1498Network Denial of ServiceEvidence1

the centralized server can coordinate massive distributed denial-of-service attacks using 19 distinct flood methods. These aggressive capabilities include UDP bypass floods, TCP floods, and advanced protocol amplification tactics

T1499Endpoint Denial of ServiceEvidence1

the operators can launch highly disruptive application-layer attacks like HTTP request storms

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

security online infoNews

Jun 10, 2026

COXMO Botnet Variant: Gafgyt Malware Analysis

A botnet malware variant from the Gafgyt family that targets internet-connected infrastructure, exploits vulnerable edge devices, establishes persistence via cron jobs and shell profiles, removes rival botnets, performs a cryptographic C2 handshake, and supports 19 DDoS flood methods. It also uses a separate Python-based scanning module for propagation and lateral movement.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.