Bright Nexus

Published on June 7, 2026

New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics

Severity

Medium

Detail

A new variant of the Gafgyt botnet, tracked as C0XMO, has been observed targeting Linux-based devices through a modular architecture that separates scanning and propagation functions. This design enables greater flexibility and scalability compared to traditional Gafgyt variants while supporting infections across multiple processor architectures.

How?

The malware propagates by exploiting CVE-2021-27137, a stack buffer overflow vulnerability in the UPnP SSDP parser of vulnerable DD-WRT firmware. Attackers leverage crafted M-SEARCH UDP packets containing oversized ST:uuid: values to trigger the vulnerability and deliver the malware payload.

Although the observed attack targeted a Japanese technology company, telemetry indicates that the infection infrastructure originated from an IP address located in Germany. The malware stages payloads within the /tmp/.cache directory and distributes binaries compiled for multiple architectures, including ARM, MIPS, PowerPC, SuperH, MC68000, Intel 80386, and AMD64, allowing it to infect a wide range of Linux-based devices.

C0XMO retains several capabilities commonly associated with Gafgyt malware, including Telnet and SSH brute-force attacks, distributed denial-of-service (DDoS) functionality, and competitor malware removal. However, its modular architecture distinguishes it from previous variants. The primary bot binary focuses on persistence, process management, and command-and-control (C2) communications, while a separate Python-based scanner handles target discovery, exploitation, and lateral movement.

To maintain persistence, the malware copies itself to hidden system locations, modifies file permissions, creates cron jobs for scheduled execution, and alters user profile files to ensure execution after system reboots. It also incorporates routines to identify and terminate competing malware, network services, and security tools while removing associated files and persistence mechanisms.

Communication with the command-and-control server is established through a custom protocol that authenticates infected devices and enables the delivery of commands. Supported functions include heartbeat communications, scan management, and multiple DDoS attack methods. Analysis of the x86_64 variant identified 19 supported attack techniques, including UDP and TCP floods, SYN attacks, amplification attacks, and application-layer HTTP-based attacks.

The Python-based scanner contains approximately 22 functions responsible for target acquisition, service fingerprinting, exploitation attempts, and credential brute-forcing. In addition to CVE-2021-27137, the scanner supports exploitation of several known vulnerabilities affecting routers, DVRs, IoT devices, and network appliances, including CVE-2022-35914, CVE-2025-34054, vulnerabilities affecting NVMS-9000 systems, and Zyxel SysTools remote code execution flaws. The scanner also targets exposed Android Debug Bridge (ADB) services and weak SSH or Telnet credentials to deploy architecture-specific payloads.

The separation of scanning and infection components enables threat actors to rapidly incorporate new exploits and target additional devices without modifying the core bot malware. Combined with support for multiple processor architectures, this approach significantly expands the botnet’s potential reach and increases the threat posed to Linux-based IoT and network-connected devices.

IOCs

Hosts

  • 217[.]160[.]125[.]125:15527.
  • 176[.]100[.]37[.]91.
  • 85[.]215[.]131[.]70.

Files

  • 444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211
  • 9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59
  • 450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d
  • d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b
  • 20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a136
  • 7413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1f
  • b6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4
  • b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799
  • dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9
  • ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8
  • 3ddb67ab079509dd1e7ac77fc4cfed25a271526668c68f8a2221e96a4cc21812
  • f02b1d8010dac35b007796def0cbd5d0c9414df790e2b55b105c95df2f2ffa91
  • 8fc2d35b66c692d37a85ae9d30dc5c7f06f0b3eaf01112a5a6398a1a0feb3aee
  • eead44c0af7ddb12cece1a6125cf213bab3c22511cd59aff9d63dcfddb7d4386
  • 41e8e327abbf2ba721be677ad8a416a7295708257b39688a0af03275fb199cec

Source

https://gbhackers.com/gafgyt-variant-targets-linux/