[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZ1ze269YYfqCTL6koMMBArXl6Q-xkZLzXwrnGEEHa4o":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"4eeab972-ab1d-476b-9465-5f9fd0c42dc6","C0XMO botnet spreads via DD-WRT router flaw, kills rival malware","c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware-af428b","A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures. [...]","A new Gafgyt botnet variant, C0XMO, is actively targeting DD-WRT router firmware and other devices across multiple CPU architectures. It exploits CVE-2021-27137 to gain arbitrary code execution and then actively terminates competitor botnet processes and tools to maintain dominance. The botnet is designed for launching distributed denial-of-service (DDoS) attacks.","C0XMO botnet exploits DD-WRT flaw to spread, disabling rival malware.","C0XMO botnet spreads via DD-WRT router flaw, kills rival malware By Bill Toulas June 7, 2026 10:17 AM 0 A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures. The researchers found samples for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures, featuring exploits for DVRs, routers, video management platforms, and Android-based devices. The botnet was seen targeting a Japanese technology company, but researchers discovered that the source IP address was for a device located in Germany. Fortinet researchers discovered C0XMO and highlighted its modular design, which allows operators to update its exploitation techniques, add\u002Fremove targeted architectures, and expand its lateral movement capabilities independently of the main payload. Fundamentally, C0XMO remains a malware for launching distributed denial-of-service (DDoS) attacks and supports 19 methods, including UDP\u002FTCP\u002FSYN\u002FICMP floods, “ping of death,” NTP\u002FMemcached amplification, Discord voice UDP floods, and Valve-specific floods. According to the researchers, the C0XMO botnet malware is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input. It can be leveraged without authentication and leads to executing arbitrary code. Gafgyt scanner For wider distribution, C0XMO downloads a Python script that installs additional packages such as ‘requests,’ ‘paramiko,’ and ‘beautifulsoup4,’ which are required for network scanning and communication, and for running activities over SSH and telnet protocols. The scanner then uses worker threads to randomly scan internet-facing systems on common ports like 22 (SSH), 23 (Telnet), 80\u002F443 (HTTP\u002FHTTPS), 7547, 8080, 8443, 8888, and others. After finding a target, the malware attempts to brute-force weak Telnet and SSH credentials, detects the CPU architecture, and deploys a compatible C0XMO binary. The script contains almost two dozen functions for various tasks for scanning, exploiting HTTP and ADB-based vulnerabilities, detecting the CPU architecture, SSH\u002Ftelenet login, and checking IP addresses. Its main purpose is to move laterally on the network. Once it gains access to a device, the malware copies itself to hidden locations such as ‘\u002Ftmp\u002F.sys,’ ‘\u002Fvar\u002Ftmp\u002F.sys,’ and ‘\u002Fdev\u002Fshm\u002F.sys,’ and then creates cron jobs that relaunch it every 15 minutes. Also, shell startup files are modified to enable automatic execution. Furthermore, C0XMO actively scans running processes to identify competitor botnet clients on the host, as well as red-team tools, programming tools, and network services that may interfere with its operation, and terminates them. It does so by deleting binaries and removing their persistence mechanisms, including cron jobs, init scripts, system services, and shell profile entries. List of processes the malware checks forSource: Fortinet After that, it connects to a hardcoded command-and-control (C2) address using a custom multi-stage handshake that includes magic strings and shared secrets, and then awaits commands. The supported commands include heartbeat checks, starting and stopping scans, and launching DDoS attacks using one of the 19 supported methods. The general recommendation for defending against C0XMO and other botnet malware is to keep devices up to date, use unique admin credentials, and disable remote access capabilities when not needed. Fortinet describes C0XMO as having \"a considerably more advanced architecture and feature set compared to earlier IoT botnets.\" The researchers note that the overall design of the malware indicates \"a greater degree of operational sophistication and complexity than typical Gafgyt malware.\" Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Dutch govt disrupts malware botnet with 17 million infected devicesUS and Canada arrest and charge suspected Kimwolf botnet adminGoogle accidentally exposed details of unfixed Chromium flawRussian hackers turn Kazuar backdoor into modular P2P botnetNew Mirai campaign exploits RCE flaw in EoL D-Link routers","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fc0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F06\u002F05\u002FBotnet.jpg","2026-06-07T14:17:46+00:00","2026-06-07T16:00:18.780427+00:00",8,[18,21],{"name":19,"type":20},"DD-WRT","product",{"name":22,"type":23},"Fortinet","vendor","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":24,"icon":26,"name":27,"slug":28},null,"Malware","malware",[30,35,37,42],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":36},{"id":24,"icon":26,"name":27,"slug":28},{"category":38},{"id":39,"icon":26,"name":40,"slug":41},"d6f63bb8-0801-486a-be7f-171400700454","IoT\u002FOT","iot-ot",{"category":43},{"id":44,"icon":26,"name":45,"slug":46},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[48],{"type":49,"value":50,"context":51},"cve","CVE-2021-27137","Vulnerability exploited for initial infection"]