Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
FortiGuard Labs, Wednesday, June 3rd, 2026
FortiGuard Labs discovered C0XMO, a new Gafgyt botnet variant that exploits CVE-2021-27137 to spread across multiple Linux architectures.
In March 2026, FortiGuard Labs discovered C0XMO, a new Gafgyt botnet variant that exploits CVE-2021-27137, a stack buffer overflow vulnerability in DD-WRT router firmware. Unlike earlier versions, C0XMO separates its lateral movement into a standalone Python script, allowing it to efficiently target various system architectures including ARM, MIPS, PowerPC, and AMD64.
The malware establishes persistence through multiple mechanisms including cron jobs and shell profile modifications, eliminates competing botnets, and connects to a C2 server to execute 19 different DDoS attack methods.
The threat was initially delivered to a Japanese technology firm via a source IP traced to Germany, highlighting the cross-platform propagation capabilities of this sophisticated botnet variant.