Anime, manga, and games, with a take · A Yukimedia publication

← all stories other 1 sources · 1h ago ·

New Gafgyt Variant C0XMO Exploits DD-WRT Flaw to Spread Across Platforms

The C0XMO variant separates its scanning function into a Python script, a structural change that allows it to target more system architectures efficiently.

Reporting from 1 source: ASCII.jp.

New Gafgyt Variant C0XMO Exploits DD-WRT Flaw to Spread Across Platforms

FortiGuard Labs discovered a new Gafgyt botnet variant called C0XMO in March 2026. It exploits a stack-based buffer overflow in DD-WRT router firmware (CVE-2021-27137) to infect devices. Attackers targeted Japanese technology companies, with traffic traced to German IP addresses. The malware is compiled for multiple architectures and separates its scanning function into an independent Python script, a structural change from earlier versions.

The vulnerability, CVE-2021-27137, is a stack-based buffer overflow in the UPnP service of DD-WRT firmware, triggered by an oversized 'ST:uuid:' value in an M-SEARCH request over UDP port 1900. C0XMO uses this to gain initial access, then establishes persistence through cron jobs and shell profile modifications. It also kills competing botnet processes and removes their persistence mechanisms. The separation of scanning into a Python script, fetched from the same C2 server, is a structural departure from earlier Gafgyt variants.

Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.

Sources