```
A newly discovered variant of the Gafgyt botnet is not just infecting vulnerable IoT devices—it's actively purging other malware to claim them as its own. Security researchers have dubbed the threat C0XMO, marking a tactical shift in the competitive landscape of cybercrime.
As reported by Security Affairs, C0XMO was first identified by FortiGuard Labs in March 2026. The malware spreads by exploiting CVE-2021-27137, a stack buffer overflow flaw in certain router firmware. This vulnerability is not new; it has been publicly documented for over five years. The malware's ability to still successfully leverage it highlights the chronic failure to patch known security gaps across a massive fleet of always-connected devices.
Evicting the Competition
The defining characteristic of C0XMO is its aggressive approach to turf control. Once installed on a device, it scans for and terminates processes linked to competing botnets. This "competitor-killing" behavior allows C0XMO to monopolize the device's resources for its own distributed denial-of-service (DDoS) campaigns.
For network defenders, this tactic creates a significant blind spot. A device infected only by C0XMO will not show traces of other common botnet families upon a superficial scan. A standard signature-based security check might return a clean result, even as the device remains fully compromised and weaponized.
Implications for Defense
The discovery underscores that traditional detection methods are becoming insufficient. Reliance on static malware signatures alone is inadequate when a single, dominant infection actively erases evidence of others.
Security teams are advised to prioritize behavioral monitoring. Key indicators include unexpected outbound network traffic patterns, particularly to unfamiliar command-and-control servers, which are essential for any botnet to receive attack commands. Furthermore, the case reinforces the critical need for aggressive vulnerability remediation, regardless of a CVE's age, and strict network segmentation to limit the impact of any single breach.
C0XMO represents more than just another botnet variant. It is a signal that the battle for control of insecure IoT devices is intensifying, forcing defenders to adapt their strategies from hunting for known malware signatures to identifying the behavioral footprints of persistent, adaptive threats.
一個新近發現的 Gafgyt 殭屍網絡變種不僅在感染易受攻擊的物聯網設備——它正積極清除其他惡意軟件,以將這些設備據為己有。安全研究人員將此威脅命名為 C0XMO,標誌著網絡犯罪競爭格局的一次戰術轉變。
據 Security Affairs 報道,C0XMO 於 2026 年 3 月由 FortiGuard Labs 首次識別。該惡意軟件通過利用 CVE-2021-27137(特定路由器韌體中的一個堆疊緩衝區溢位漏洞)進行傳播。此漏洞並非新發現,其相關資訊已被公開記錄超過五年。該惡意軟件仍能成功利用此漏洞,突顯了在海量始終聯網的設備群中,長期未能修補已知安全缺口的痼疾。
排除競爭對手
C0XMO 最顯著的特徵是其對於「領地」控制的激進手段。一旦安裝於設備上,它會掃描並終止與其他競爭殭屍網絡相關的進程。這種「競爭者清除」行為使得 C0XMO 能夠壟斷設備資源,用於其自身的分佈式阻斷服務(DDoS)攻擊行動。
對於網絡防禦者而言,此策略造成了一個重大的盲點。僅被 C0XMO 感染的設備,在表面掃描時不會顯示出其他常見殭屍網絡家族的痕跡。標準的基於特徵碼的安全檢查可能返回「乾淨」的結果,即使該設備實際上已完全失陷並被武器化。
對防禦工作的啟示
此發現凸顯了傳統偵測方法正變得不足。僅依賴靜態惡意軟件特徵碼已不敷應用,尤其當單一、主導性的感染會主動擦除其他感染的證據時。
建議安全團隊優先考慮行為監控。關鍵指標包括異常的外聯網絡流量模式,特別是流向不熟悉的指揮與控制伺服器——這是任何殭屍網絡接收攻擊指令所必需的。此外,此案例強調了無論 CVE 漏洞存在多久,都必須積極進行漏洞修復,並實施嚴格的網絡分段以限制任何單次入侵的影響範圍。
C0XMO 不僅代表又一個殭屍網絡變種。它傳遞了一個信號:爭奪不安全物聯網設備控制權的鬥爭正在加劇,迫使防禦者調整其策略,從尋找已知的惡意軟件特徵碼,轉向識別那些持續存在、不斷適應的威脅所留下的行為痕跡。