{"rewrite":{"id":"r_59ae982f0b62004fe6ece2fb","clusterId":"c_b9d8c32e4a96413f4e651e02","slug":"new-gafgyt-variant-c0xmo-exploits-dd-wrt-flaw-to-spread-across-platforms","model":"deepseek-v4-flash","headline":"New Gafgyt Variant C0XMO Exploits DD-WRT Flaw to Spread Across Platforms","summary":"FortiGuard Labs discovered a new Gafgyt botnet variant called C0XMO in March 2026. It exploits a stack-based buffer overflow in DD-WRT router firmware (CVE-2021-27137) to infect devices. Attackers targeted Japanese technology companies, with traffic traced to German IP addresses. The malware is compiled for multiple architectures and separates its scanning function into an independent Python script, a structural change from earlier versions.","whyItMatters":"The C0XMO variant separates its scanning function into a Python script, a structural change that allows it to target more system architectures efficiently.","webCardHtml":"\u003cp\u003eThe vulnerability, CVE-2021-27137, is a stack-based buffer overflow in the UPnP service of DD-WRT firmware, triggered by an oversized \u0026#39;ST:uuid:\u0026#39; value in an M-SEARCH request over UDP port 1900. C0XMO uses this to gain initial access, then establishes persistence through cron jobs and shell profile modifications. It also kills competing botnet processes and removes their persistence mechanisms. The separation of scanning into a Python script, fetched from the same C2 server, is a structural departure from earlier Gafgyt variants.\u003c/p\u003e","blueskyPost":"FortiGuard Labs found a new Gafgyt variant, C0XMO, exploiting a DD-WRT router vulnerability. It targets Japanese tech firms, spreads across multiple architectures, and separates scanning into a Python script. A structural change in botnet design.","twitterPost":"New Gafgyt variant C0XMO exploits DD-WRT flaw CVE-2021-27137. Targets Japanese tech companies, compiled for multiple architectures, separates scanning into Python script. Structural shift from earlier versions.","threadsPost":null,"newsletterBlurb":"FortiGuard Labs has identified a new Gafgyt botnet variant, C0XMO, that exploits a DD-WRT router vulnerability. The malware targets Japanese technology companies and is compiled for multiple architectures. Notably, it separates its scanning function into an independent Python script, a structural change from previous Gafgyt versions.","attributionJson":"[{\"source\":\"ASCII.jp\",\"url\":\"https://ascii.jp/elem/000/004/419/4419549/?rss\",\"title\":\"DD-WRTルーターの脆弱性を悪用　新型ボットネット「C0XMO」の感染手口とは\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":5742,"outputTokens":2798,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1784106946,"createdAt":"2026-07-15T09:08:59.000Z","publishedAt":"2026-07-15T09:12:28.000Z","updatedAt":"2026-07-15T09:08:59.000Z"},"cluster":{"id":"c_b9d8c32e4a96413f4e651e02","canonicalTitle":"DD-WRTルーターの脆弱性を悪用　新型ボットネット「C0XMO」の感染手口とは","representativeArticleId":"a_62854bb20e70320397ea63f7","sourceCount":1,"writtenSourceCount":1,"writeAttempts":0,"isSolo":true,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[],\"studios\":[],\"people\":[],\"type\":\"news\",\"domain\":\"other\",\"is_roundup\":false}","contentType":"news","status":"published","firstSeenAt":"2026-07-15T08:00:00.000Z","lastSeenAt":"2026-07-15T08:00:00.000Z","updatedAt":"2026-07-15T09:12:29.000Z"},"attribution":[{"source":"ASCII.jp","url":"https://ascii.jp/elem/000/004/419/4419549/?rss","title":"DD-WRTルーターの脆弱性を悪用　新型ボットネット「C0XMO」の感染手口とは"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":[],"studios":[],"people":[],"type":"news","domain":"other","is_roundup":false},"keyFacts":null}
