307/69 Tuesday, June 9, 2026
Cybersecurity researchers from Fortinet have discovered a new botnet malware named C0XMO, which is derived from the Gafgyt botnet. The malware targets router devices running DD-WRT firmware, as well as video recording devices, video management platforms, and devices running the Android operating system. It can operate across various processor architectures, including ARM, MIPS, PowerPC, and x86. Notably, C0XMO is designed with a modular structure that allows it to flexibly adapt its attack techniques. Initial reports indicate that the botnet was used to attack a technology company in Japan, with the source IP addresses traced to devices located in Germany.
In terms of attack details, C0XMO exploits CVE-2021-27137, a vulnerability caused by improper input validation that can lead to a buffer overflow, allowing threat actors to execute malicious code without authentication. After successfully gaining access to a system, the malware downloads a Python script to scan for vulnerabilities on the network and performs password-guessing attacks against Telnet and SSH services. It then copies itself into a temporary system directory and creates cron jobs to run automatically every 15 minutes. The malware is capable of scanning for and removing rival malware, as well as other security tools, from the system in order to fully take control of the device and wait for commands from its command-and-control (C2) server to launch distributed denial-of-service (DDoS) attacks. It supports 19 different attack methods.
To reduce the risk and prevent potential impact from the C0XMO botnet, users and system administrators should promptly review and update the firmware of network devices to the latest version. They should also set strong administrator passwords and avoid reusing passwords across other systems. In addition, remote access services should be disabled if they are not necessary. As an initial detection measure, administrators can check for abnormal automated system configurations or suspicious files that may be hidden in temporary directories. Strictly following these recommendations can help protect organizational infrastructure, as experts assess that C0XMO has a significantly more complex operational structure and higher attack capability than many IoT botnets previously observed.