A newly discovered botnet called C0XMO is targeting home and business routers running DD-WRT firmware, using a years-old vulnerability to break in, dig deep, and attack anything in its path. Researchers who analysed the C0XMO botnet found a piece of malware that goes well beyond what most IoT threats are capable of, from killing rival malware to launching DDoS floods across 19 different attack methods.
What Is DD-WRT and Why Does It Matter?
DD-WRT is a custom, open-source firmware that many users install on their routers to unlock advanced features that stock firmware does not offer. Privacy-conscious users, home lab enthusiasts, and small businesses all favour it. That popularity, however, also makes it an attractive target.
C0XMO breaks into DD-WRT devices by exploiting CVE-2021-27137, a buffer overflow vulnerability in the firmware. A buffer overflow happens when a programme receives more data than it was designed to handle, causing it to overwrite adjacent memory. Crucially, an attacker can trigger this flaw without any login credentials. No password is required. Successful exploitation gives the attacker the ability to run their own code on the device.
Devices running unpatched versions of DD-WRT remain exposed.
How the C0XMO Botnet Spreads
Once a router is infected, C0XMO wastes no time expanding its foothold. It downloads a Python script that installs several packages, including tools for network scanning, SSH communication, and web interaction. These tools allow the malware to probe other internet-connected devices and attempt to break into them.
The scanner targets devices on common ports such as SSH (22), Telnet (23), and HTTP (80/443). When it finds a potential target, it tries to brute-force its way in using weak default credentials. It also detects what processor the target device runs, then drops the right version of itself onto that machine.
Researchers found samples built for ARM, MIPS, PowerPC, SuperH, x86, and other architectures. That broad compatibility means the C0XMO botnet can jump from routers to DVRs, video management platforms, and Android-based devices.
Persistence and Self-Protection
After gaining access, C0XMO hides in system directories designed for temporary files, such as /tmp/.sys and /dev/shm/.sys. It creates scheduled tasks that relaunch it every 15 minutes and modifies shell startup files so it runs automatically after every reboot.
One of the more aggressive features of the C0XMO botnet is its ability to hunt down and destroy competing threats. The malware scans running processes to identify other botnet clients, penetration testing tools, and network services that might interfere. When it finds them, it does not just terminate the process. It deletes the underlying binaries and strips out every persistence mechanism those programmes used, including cron jobs, system services, and shell profile entries.
This behaviour is a deliberate strategy. By eliminating competitors, C0XMO secures exclusive control over the infected device and removes anything that might draw unwanted attention.
Connecting to Command and Control
After establishing itself, the malware connects to a hardcoded command-and-control server using a custom handshake that includes embedded secret strings. This multi-stage process verifies the connection before accepting any orders.
From there, the botnet awaits instructions. Operators can tell it to start or stop scanning, check its status, or launch attacks. The attack options are extensive. C0XMO supports 19 DDoS methods, including UDP, TCP, SYN, and ICMP floods, a “ping of death” attack, amplification using NTP and Memcached protocols, Discord voice channel floods, and Valve game server attacks.
Researchers observed it targeting a technology company in Japan, though the attacking device traced back to Germany. That mismatch is typical of how botnets operate. The devices doing the attacking are themselves victims, scattered across the globe.
A More Advanced Threat Than Typical IoT Malware
Gafgyt is a well-known botnet family that has targeted poorly secured IoT devices for over a decade. C0XMO builds on that foundation but takes things significantly further.
Its modular design lets operators update exploitation techniques, add or remove supported architectures, and expand its reach without rebuilding the core payload. That flexibility makes it harder to counter with static detection rules. Researchers described the C0XMO botnet as reflecting a greater degree of operational sophistication than typical Gafgyt variants, with a considerably more advanced architecture and feature set.
How to Protect Your Router
Users running DD-WRT should update to the latest available firmware version to close CVE-2021-27137. Beyond patching, replace any default admin credentials with strong, unique passwords. Also disable remote access features, such as SSH or the web management interface, when they are not actively needed.
Final Thoughts
The C0XMO botnet shows what happens when old, unpatched vulnerabilities sit open on internet-facing devices. A flaw from 2021 is now powering a modular, multi-architecture botnet that wipes out rival malware, survives reboots, and runs large-scale DDoS campaigns. The devices caught in the middle often belong to people who have no idea their router is doing anything beyond routing traffic. Keeping firmware current and locking down remote access remains the most effective defence available.
