A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures. Researchers from Fortinet have discovered that this malware represents a significant evolution in IoT botnet capabilities, featuring a modular architecture that allows operators to update exploitation techniques and expand targeting capabilities independently of the main payload.
Exploiting DD-WRT and Beyond
The botnet was seen targeting a Japanese technology company, but researchers discovered that the source IP address was for a device located in Germany. This highlights the botnet's ability to use compromised devices as launch points for attacks, effectively masking its origins.
The researchers found samples for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures, featuring exploits for DVRs, routers, video management platforms, and Android-based devices. This multi-architecture support makes C0XMO particularly dangerous as it can infect a wide range of internet-connected devices.
For comparison with other botnets, see our analysis of the Mirai malware and its impact on IoT security.
DDoS Capabilities and Attack Methods
Fundamentally, C0XMO remains a malware for launching distributed denial-of-service (DDoS) attacks and supports 19 methods, including UDP/TCP/SYN/ICMP floods, "ping of death," NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.
The botnet's attack capabilities include:
- UDP flood attacks
- TCP SYN flood
- ICMP flood (ping of death)
- NTP amplification attacks
- Memcached amplification attacks
- Discord voice UDP floods
- Valve-specific protocol floods
This diverse arsenal makes C0XMO capable of overwhelming targets through multiple vectors simultaneously.
For additional context on DDoS defense strategies, see our guide on DDoS mitigation techniques.
The Gafgyt Scanner: Lateral Movement Engine
For wider distribution, C0XMO downloads a Python script that installs additional packages such as 'requests,' 'paramiko,' and 'beautifulsoup4,' which are required for network scanning and communication, and for running activities over SSH and telnet protocols.
The scanner then uses worker threads to randomly scan internet-facing systems on common ports like 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, 8888, and others.
After finding a target, the malware attempts to brute-force weak Telnet and SSH credentials, detects the CPU architecture, and deploys a compatible C0XMO binary.
The script contains almost two dozen functions for various tasks including:
- Network scanning
- Exploiting HTTP and ADB-based vulnerabilities
- CPU architecture detection
- SSH/Telnet login
- IP address validation
Its main purpose is to move laterally across the network once initial access is gained.
For more on detecting lateral movement, see our article on network security monitoring.
Persistence and Anti-Competitor Mechanisms
Once it gains access to a device, the malware copies itself to hidden locations such as '/tmp/.sys,' '/var/tmp/.sys,' and '/dev/shm/.sys,' and then creates cron jobs that relaunch it every 15 minutes. Shell startup files are also modified to enable automatic execution.
C0XMO actively scans running processes to identify competitor botnet clients on the host, as well as red-team tools, programming tools, and network services that may interfere with its operation, and terminates them. It does so by deleting binaries and removing their persistence mechanisms, including cron jobs, init scripts, system services, and shell profile entries.
The malware maintains a blacklist of processes to kill, ensuring it has exclusive control over the infected device's resources.
Source: Fortinet
After eliminating competitors, the malware connects to a hardcoded command-and-control (C2) address using a custom multi-stage handshake that includes magic strings and shared secrets, then awaits commands.
Compare this to other botnets like Mirai and the Miasma Worm, which also use anti-competitor mechanisms to maintain exclusivity.
Command and Control Communication
The supported commands include:
- Heartbeat checks for keep-alive verification
- Starting and stopping network scanners
- Launching DDoS attacks using one of the 19 supported methods
The command-and-control infrastructure uses a custom multi-stage handshake protocol featuring magic strings and shared secrets, making detection more difficult for security solutions that rely on simple signature matching.
Learn how advanced C2 detection techniques are used by security teams to identify and disrupt botnet infrastructure.
For context on how threat actors coordinate attacks, see our exploration of China-nexus cyber operations.
Defense Recommendations
The general recommendation for defending against C0XMO and other botnet malware is to:
- Keep devices up to date - Apply security patches promptly, especially for IoT devices and routers running DD-WRT firmware
- Use unique admin credentials - Avoid default passwords and use strong, unique combinations
- Disable remote access capabilities when not needed - Turn off WAN access to management interfaces
- Monitor network traffic for unusual patterns that may indicate infection
- Segment IoT networks from critical systems to limit lateral movement
Fortinet describes C0XMO as having "a considerably more advanced architecture and feature set compared to earlier IoT botnets." The researchers note that the overall design of the malware indicates "a greater degree of operational sophistication and complexity than typical Gafgyt malware."
This evolution suggests that threat actors are investing more resources into IoT malware development, moving beyond basic Mirai-like implementations toward more modular and adaptable frameworks.
Review our comprehensive guides on IoT security best practices and enterprise threat detection for additional protection measures.