{ "@context": "https://schema.org", "@type": "NewsArticle", "@id": "https://hostdir.net/blog/new-botnet-c0xmo-and-chinese-apt-malware-campaigns-target-routers-and-cloud-systems", "headline": "New Botnet C0XMO and Chinese APT Malware Campaigns Target Routers and Cloud Systems", "alternativeHeadline": "Fortinet uncovers advanced Gafgyt variant exploiting DD-WRT flaw, while Chinese APT deploys new backdoors in Microsoft 365 environments", "url": "https://hostdir.net/blog/new-botnet-c0xmo-and-chinese-apt-malware-campaigns-target-routers-and-cloud-systems", "datePublished": "2026-06-09T09:43:00+00:00", "dateModified": "2026-06-09T15:07:34+00:00", "author": { "@type": "Organization", "name": "HostDir News Desk", "url": "https://hostdir.net" }, "publisher": { "@type": "Organization", "name": "HostDir", "url": "https://hostdir.net", "logo": { "@type": "ImageObject", "url": "https://hostdir.net/assets/logo.svg" } }, "image": "https://hostdir.net/uploads/news/f4c3c19401d71cc2.webp", "description": "A new botnet called C0XMO exploits a DD-WRT router vulnerability to spread and kill rival malware, while Chinese APT UNC5221 uses new tools like Plenet and AgentPSD to maintain access to hacked networks.", "articleSection": "Security", "articleBody": "Security researchers have identified two distinct malware campaigns this week: a new botnet variant targeting DD-WRT routers and a Chinese advanced persistent threat (APT) group deploying previously undocumented backdoors in Microsoft 365 environments. The campaigns highlight the growing sophistication of both IoT botnets and state-sponsored espionage tools.Fortinet researchers discovered C0XMO, a variant of the Gafgyt botnet, which exploits CVE-2021-27137, a buffer overflow vulnerability in DD-WRT router firmware. The malware supports 19 distributed denial-of-service (DDoS) methods, including UDP/TCP/SYN/ICMP floods, ping of death, and NTP/Memcached amplification. It also actively scans for and terminates rival botnet clients and red-team tools on infected hosts.C0XMO Botnet: Modular Design and Lateral MovementC0XMO uses a Python-based scanner to randomly scan internet-facing systems on ports 22, 23, 80, 443, 7547, 8080, 8443, and 8888. After brute-forcing weak Telnet and SSH credentials, it detects the CPU architecture and deploys a compatible binary. The malware hides in directories like /tmp/.sys and /var/tmp/.sys, creates cron jobs for persistence every 15 minutes, and modifies shell startup files for automatic execution.Targets ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architecturesExploits vulnerabilities in DVRs, routers, video management platforms, and Android devicesUses a custom multi-stage handshake with magic strings and shared secrets to connect to a hardcoded C2 serverFortinet describes C0XMO as having \"a considerably more advanced architecture and feature set compared to earlier IoT botnets\"Chinese APT UNC5221 Deploys New BackdoorsSeparately, the Chinese espionage group UNC5221 has been observed accessing Microsoft 365 environments using a backdoor called Brickstorm and two previously undocumented malware families: Plenet and AgentPSD. The group maintains persistent access to compromised networks, according to researchers. In a related development, ReliaQuest identified a threat cluster dubbed OP-512 targeting Microsoft Internet Information Services (IIS) servers with a custom web shell framework. ReliaQuest assessed with moderate to high confidence that OP-512 is linked to China.The convergence of IoT botnet evolution and state-sponsored espionage underscores the need for organizations to patch vulnerabilities promptly, use unique admin credentials, and disable remote access when not needed. Fortinet recommends keeping all devices updated to defend against C0XMO and similar threats.", "mainEntityOfPage": "https://hostdir.net/blog/new-botnet-c0xmo-and-chinese-apt-malware-campaigns-target-routers-and-cloud-systems", "license": "https://creativecommons.org/licenses/by/4.0/", "citation": [ { "@type": "CreativeWork", "name": "C0XMO botnet spreads via DD-WRT router flaw, kills rival malware", "url": "https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/" }, { "@type": "CreativeWork", "name": "Chinese APT deploys new malware to keep access to hacked networks", "url": "https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/" }, { "@type": "CreativeWork", "name": "New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework", "url": "https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html" } ], "_hostdir": { "kind": "news-article", "slug": "new-botnet-c0xmo-and-chinese-apt-malware-campaigns-target-routers-and-cloud-systems", "canonical": "https://hostdir.net/blog/new-botnet-c0xmo-and-chinese-apt-malware-campaigns-target-routers-and-cloud-systems", "category": "security", "sources": [ { "url": "https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/", "title": "C0XMO botnet spreads via DD-WRT router flaw, kills rival malware", "source_name": "BleepingComputer", "source_slug": "bleeping-computer" }, { "url": "https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/", "title": "Chinese APT deploys new malware to keep access to hacked networks", "source_name": "BleepingComputer", "source_slug": "bleeping-computer" }, { "url": "https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html", "title": "New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework", "source_name": "The Hacker News", "source_slug": "hacker-news" } ], "fact_checks": [ { "claim": "C0XMO exploits CVE-2021-27137, a buffer overflow vulnerability in DD-WRT router firmware.", "source_url": "https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/", "verdict": "verified" }, { "claim": "C0XMO supports 19 DDoS methods including UDP/TCP/SYN/ICMP floods and ping of death.", "source_url": "https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/", "verdict": "verified" }, { "claim": "Chinese APT UNC5221 uses Brickstorm backdoor and new malware Plenet and AgentPSD to access Microsoft 365 environments.", "source_url": "https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/", "verdict": "reported" }, { "claim": "ReliaQuest identified OP-512 targeting Microsoft IIS servers with a custom web shell framework, linked to China with moderate to high confidence.", "source_url": "https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html", "verdict": "reported" } ], "internal_links": [ { "anchor": "Telnet", "target_url": "/datacenters?operator=telnet", "target_kind": "datacenter_operator" } ], "license": "CC BY 4.0", "license_url": "https://creativecommons.org/licenses/by/4.0/", "attribution": "HostDir News Desk — https://hostdir.net/blog/new-botnet-c0xmo-and-chinese-apt-malware-campaigns-target-routers-and-cloud-systems" } }