New Botnet C0XMO and Chinese APT Malware Campaigns Target Routers and Cloud Systems

Security researchers have identified two distinct malware campaigns this week: a new botnet variant targeting DD-WRT routers and a Chinese advanced persistent threat (APT) group deploying previously undocumented backdoors in Microsoft 365 environments. The campaigns highlight the growing sophistication of both IoT botnets and state-sponsored espionage tools.

Fortinet researchers discovered C0XMO, a variant of the Gafgyt botnet, which exploits CVE-2021-27137, a buffer overflow vulnerability in DD-WRT router firmware. The malware supports 19 distributed denial-of-service (DDoS) methods, including UDP/TCP/SYN/ICMP floods, ping of death, and NTP/Memcached amplification. It also actively scans for and terminates rival botnet clients and red-team tools on infected hosts.

C0XMO Botnet: Modular Design and Lateral Movement

C0XMO uses a Python-based scanner to randomly scan internet-facing systems on ports 22, 23, 80, 443, 7547, 8080, 8443, and 8888. After brute-forcing weak Telnet and SSH credentials, it detects the CPU architecture and deploys a compatible binary. The malware hides in directories like /tmp/.sys and /var/tmp/.sys, creates cron jobs for persistence every 15 minutes, and modifies shell startup files for automatic execution.

• Targets ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures
• Exploits vulnerabilities in DVRs, routers, video management platforms, and Android devices
• Uses a custom multi-stage handshake with magic strings and shared secrets to connect to a hardcoded C2 server
• Fortinet describes C0XMO as having "a considerably more advanced architecture and feature set compared to earlier IoT botnets"

Chinese APT UNC5221 Deploys New Backdoors

Separately, the Chinese espionage group UNC5221 has been observed accessing Microsoft 365 environments using a backdoor called Brickstorm and two previously undocumented malware families: Plenet and AgentPSD. The group maintains persistent access to compromised networks, according to researchers. In a related development, ReliaQuest identified a threat cluster dubbed OP-512 targeting Microsoft Internet Information Services (IIS) servers with a custom web shell framework. ReliaQuest assessed with moderate to high confidence that OP-512 is linked to China.

The convergence of IoT botnet evolution and state-sponsored espionage underscores the need for organizations to patch vulnerabilities promptly, use unique admin credentials, and disable remote access when not needed. Fortinet recommends keeping all devices updated to defend against C0XMO and similar threats.