New Gafgyt Variant C0XMO Exploits DD-WRT Vulnerability to Build Multi-Architecture Botnet
A newly identified variant of the Gafgyt botnet malware, dubbed C0XMO, is actively exploiting a known vulnerability in DD-WRT router firmware to compromise Linux-based devices. This sophisticated malware leverages a stack buffer overflow flaw in the Universal Plug and Play (UPnP) service of affected routers, enabling attackers to gain full access without requiring credentials. Once infiltrated, the compromised devices are conscripted into a rapidly expanding botnet network.
What distinguishes C0XMO from its predecessors is its modular architecture and capability to target multiple Linux processor architectures simultaneously. The malware is engineered to compile and deploy architecture-specific payloads, significantly broadening its reach compared to previous IoT-targeting threats. Additionally, it incorporates Python-based scanning scripts that facilitate lateral movement across networks, autonomously identifying and compromising new targets.
Analysts from Fortinet’s FortiGuard Labs first detected C0XMO in March 2026. Their analysis revealed that the malware exploits CVE-2021-27137, a stack buffer overflow in the UPnP service of certain DD-WRT router firmware versions. This vulnerability is triggered when an oversized ST:uuid value is sent in a crafted M-SEARCH request over UDP port 1900.
The potential impact of C0XMO is substantial, given the widespread deployment of DD-WRT firmware across home offices and small businesses globally. Beyond routers, the malware also attempts to exploit exposed Android Debug Bridge connections to compromise Android devices, indicating a cross-platform approach that underscores the growing sophistication of IoT botnet operators.
Once a device is compromised, C0XMO can launch distributed denial-of-service (DDoS) attacks. It also exploits vulnerabilities in D-Link devices, GLPI project software, and Avtech DVR cameras, thereby expanding its attack surface considerably. Security teams managing diverse device environments should consider this threat active and ongoing.
A notable technical aspect of C0XMO is its separation of lateral movement into a standalone Python script. This design allows the botnet to scan and probe networks independently of the main malware body, enhancing flexibility and evasion capabilities. The script identifies reachable hosts and determines the target’s architecture before delivering the appropriate payload.
The malware targets a range of Linux architectures, including ARM, MIPS, and x86, encompassing routers, IoT sensors, and embedded devices. For each architecture, it downloads and executes the corresponding compiled binary, enabling the botnet to proliferate across diverse hardware within a single campaign. This modular, multi-architecture design, previously more common among advanced threat actors, marks a significant escalation in IoT botnet capabilities.
Fortinet researchers observed the malware connecting to a command-and-control server post-infection, awaiting DDoS commands. This behavior indicates that the botnet is not only expanding its network but also preparing for coordinated attacks.
In light of these developments, it is imperative for organizations and individuals using DD-WRT firmware to update their systems promptly to mitigate the risk posed by C0XMO. Implementing robust security measures, such as disabling unnecessary services, changing default credentials, and regularly monitoring network traffic, can further reduce vulnerability to such sophisticated malware campaigns.
