Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
· Published 04/06/2026 00:14 · Modified 04/06/2026 09:39
Essential information
- Published
- 04/06/2026 00:14
- Modified
- 04/06/2026 09:39
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- botnet c0xmo ddos gafgyt python scanner
- Tags
- 2026-06-03 botnet c0xmo ddos gafgyt python scanner
- Related entities
- 5 vulnerabilities (cve), 18 indicators, 18 observables, 20 techniques (mitre), 2 malware, 2 others
Description
A new Gafgyt botnet variant named C0XMO has been discovered that spreads by exploiting a stack buffer overflow vulnerability in DD-WRT router firmware. Unlike earlier versions, this malware separates its lateral movement capabilities into a standalone Python script, enabling more efficient targeting of various system architectures including ARM, MIPS, PowerPC, and x86. The malware establishes persistence through cron jobs and shell profile modifications, eliminates competing botnets, and supports 19 different DDoS attack methods. Its scanner component performs weak-credential brute-force attacks on Telnet and SSH services while also exploiting multiple HTTP-based vulnerabilities and Android Debug Bridge unauthorized access. The malware connects to command-and-control infrastructure and demonstrates significantly more sophisticated architecture compared to traditional IoT botnets.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (5)
CVE-2015-2051
KEV
8.8
High
D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
- Attack vector
- Adjacent
- Complexity
- LOW
- Published
- 23/02/2015
- Modified
- 22/04/2026
- Published
- 04/06/2026
- Modified
- 04/06/2026
10.0
Critical
An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to …
- EPSS
- 0.0230 (P85.0%)
- Published
- 04/06/2026
- Modified
- 04/06/2026
8.7
High
AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The `exefile` parameter in CloudSetup.cgi is passed …
- EPSS
- 0.0037 (P58.9%)
- Published
- 04/06/2026
- Modified
- 04/06/2026
CVE-2022-35914
KEV
9.8
Critical
Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.
- Attack vector
- Network
- Published
- 07/03/2023
- Modified
- 04/06/2026
Indicators (18)
-
stix 100/100
CC=ES ASN=AS8560 1&1 ionos se
· Valid until 28/06/2026 · Source: AlienVault -
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
-
stix 100/100· Valid until 31/05/2027 · Source: AlienVault
Observables (18)
-
176.100.37.91 -
217.160.125.125 -
85.215.131.70 -
444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211 -
8fc2d35b66c692d37a85ae9d30dc5c7f06f0b3eaf01112a5a6398a1a0feb3aee -
dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9 -
d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b -
ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8 -
b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799 -
eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386 -
9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59 -
450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d
Techniques (MITRE) (20)
Others (2)
-
Japan
-
Technology