← BACK TO FEED
botnetIoT securityDD-WRTDDoSGafgyt

C0XMO Botnet Exploits DD-WRT Routers, Evicts Rival Malware to Claim Territory

C0XMO is a new, advanced variant of the Gafgyt botnet that exploits CVE-2021-27137, a buffer overflow vulnerability in DD-WRT router firmware, to spread across multiple device types and CPU architectures. It supports 19 DDoS attack methods, uses a Python-based scanner to brute-force credentials and move laterally across networks, and actively eliminates rival malware and security tools to maintain dominance on infected devices. Researchers at Fortinet describe it as significantly more sophisticated than typical IoT botnets, recommending that users keep devices patched, use strong credentials, and disable unnecessary remote access.

A new Gafgyt variant called C0XMO has emerged, and it is nastier than most. Discovered by Fortinet researchers, the botnet targets DD-WRT router firmware and comes compiled for a wide range of CPU architectures including ARM, MIPS, PowerPC, SuperH, x86, and x86_64. That breadth of target support is not accidental.

The initial infection vector is CVE-2021-27137, a buffer overflow in DD-WRT caused by inadequate input validation. No authentication required. Researchers spotted C0XMO hitting a Japanese tech company, though the source IP traced back to a compromised device sitting in Germany. Classic botnet geography.

What makes C0XMO worth paying attention to is its modular architecture. Operators can swap out exploit modules, add or drop supported architectures, and tweak lateral movement capabilities without touching the core payload. That kind of separation of concerns is not something you typically see in commodity IoT malware.

Once inside a device, the malware downloads a Python script that pulls in packages including requests, paramiko, and beautifulsoup4. These handle network scanning, SSH and Telnet sessions, and HTTP interactions. Worker threads then randomly probe internet-facing devices across common ports: 22, 23, 80, 443, 7547, 8080, 8443, 8888, and others. When a target responds, C0XMO attempts to brute-force weak credentials, fingerprints the CPU architecture, and drops an appropriate binary.

Persistence is thorough. The malware copies itself to locations like /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys, sets up cron jobs to relaunch every 15 minutes, and modifies shell startup files for good measure.

There is also a competitive streak. C0XMO actively scans running processes for rival botnet clients, red-team tools, and anything else that might interfere with its operation, then kills them. It does not stop at terminating processes either. It removes associated binaries, cron jobs, init scripts, system services, and shell profile entries. Thorough eviction.

After establishing control, the malware connects to a hardcoded C2 address using a custom multi-stage handshake involving magic strings and shared secrets, then waits for instructions.

The DDoS capabilities are extensive. C0XMO supports 19 attack methods including UDP, TCP, SYN, and ICMP floods, ping of death, NTP and Memcached amplification, Discord voice UDP floods, and Valve-specific attack vectors. The last two suggest whoever built this is targeting gaming infrastructure, which is a lucrative and unfortunately well-established DDoS market.

Fortinet describes the overall design as reflecting considerably more sophistication than typical Gafgyt malware. That tracks. Most IoT botnets are blunt instruments. This one has modular architecture, active competitor suppression, and multi-architecture support baked in from the start.

The standard advice applies: keep firmware updated, stop reusing default credentials, and turn off remote access when you are not using it. CVE-2021-27137 is five years old. If your DD-WRT device is still exposed to that, C0XMO is not your only problem.