"a considerably more advanced architecture and feature set compared to earlier IoT botnets," Fortinet researchers wrote — and their finding of a new Gafgyt variant called C0XMO makes that claim hard to dismiss.
Fortinet on C0XMO's modular architecture
Fortinet researchers discovered C0XMO and highlighted a modular design that separates the core payload from exploitation and lateral-movement components. That separation allows operators to update exploitation techniques, add or remove targeted CPU architectures, and expand lateral movement independently of the primary DDoS payload. The researchers describe the overall design as indicating "a greater degree of operational sophistication and complexity than typical Gafgyt malware."
Exploitation of CVE-2021-27137 and the DD-WRT vector
C0XMO is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input. According to Fortinet, the flaw can be leveraged without authentication and leads to arbitrary code execution. The botnet was observed targeting DD-WRT router firmware and was also seen striking a Japanese technology company — although the researchers state the source IP address associated with that activity resolved to a device located in Germany.
Lateral movement: Python scanner, ports, and architecture diversity
For distribution and lateral movement, C0XMO uses a Python-based scanner that downloads and installs additional packages such as requests, paramiko, and beautifulsoup4 to support network scanning, SSH/telnet activity, and web interactions. The scanner launches worker threads that randomly scan internet-facing systems on common ports including 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, 8888, and others.
After discovering a reachable host, the malware attempts to brute-force weak Telnet and SSH credentials, probes the CPU architecture, and deploys a compatible C0XMO binary. Fortinet found samples targeting a wide range of CPU families — ARM, MIPS, PowerPC, SuperH, x86, x86_64, and additional architectures — and noted exploits aimed at DVRs, routers, video management platforms, and Android-based devices.
Persistence, self‑protection, and removal of rivals
Once installed, C0XMO copies itself to hidden locations such as /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys, creates cron jobs that relaunch the malware every 15 minutes, and modifies shell startup files to enable automatic execution. The botnet actively scans running processes to find competing botnet clients, red-team tools, programming utilities, and network services that could interfere with its operation; it then terminates those processes, deletes binaries, and removes persistence mechanisms including cron jobs, init scripts, system services, and shell profile entries.
Command-and-control, supported commands, and DDoS toolkit
C0XMO connects to a hardcoded command-and-control (C2) address using a custom multi-stage handshake that includes magic strings and shared secrets. Once connected, the bot awaits commands that include heartbeat checks, starting and stopping scans, and initiating distributed denial-of-service attacks. Fundamentally, C0XMO remains a malware family built to launch DDoS operations: Fortinet reports the bot supports 19 attack methods.
- Flood types listed by the researchers include UDP, TCP, SYN, and ICMP floods and a "ping of death."
- Amplification vectors include NTP and Memcached amplification.
- More specialized attacks include Discord voice UDP floods and Valve-specific floods.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Expect a modular threat that can be extended to additional architectures and device types without changing the core payload. The Picus whitepaper cited in the source notes that defenders often log 54% of successful attacks but alert on only 14%, underscoring the need to validate detection rules and controls against lateral-moving, multi-architecture toolsets such as C0XMO.
- Affected enterprises and procurement leaders: Devices in the field — especially routers, DVRs, video-management systems, and Android-based embedded equipment — should be inventoried, firmware versions checked, and remote-access capabilities disabled where not required. The published defensive advice is straightforward: keep devices up to date, use unique administrative credentials, and disable remote access when not needed.
- End users and device owners: Weak Telnet/SSH credentials and unpatched firmware are direct enablers of C0XMO's spread. Removing default or shared admin logins and applying vendor updates are practical, immediate mitigations.
Fortinet’s assessment of C0XMO draws a clear line from an exploited DD-WRT vulnerability to a widely adaptable DDoS platform: an unauthenticated buffer overflow (CVE-2021-27137) seeds access, a Python-based scanner and architecture-aware deployer expands reach, and an extensive DDoS toolkit converts compromised devices into attack nodes. The architecture raises one operational question the facts leave explicit: as C0XMO’s exploitation and lateral modules evolve independently of its core payload, how quickly will defenders be able to match detection and remediation to a shifting set of device types and attack vectors?
