By MSB
A new variant of the notorious Gafgyt botnet, dubbed C0XMO, is actively targeting routers running DD-WRT firmware, adding to the growing list of threats aimed at internet-facing IoT devices. What sets this campaign apart is not only its ability to spread across multiple hardware architectures but also its aggressive behavior: once it compromises a device, it actively removes competing malware to maintain exclusive control of the infected system.
According to researchers at FortiGuard Labs, C0XMO exploits CVE-2021-27137, a buffer overflow vulnerability affecting older versions of DD-WRT. The flaw allows attackers to execute remote code without authentication through specially crafted requests sent to the router's UPnP service. Although the vulnerability was patched years ago, countless devices remain unpatched and exposed to the internet.
Once a device is compromised, the botnet downloads payloads tailored to multiple processor architectures, including ARM, MIPS, PowerPC, SuperH, x86, and x86_64. This flexibility allows the malware to expand far beyond home routers, reaching DVRs, surveillance platforms, and Android-based devices.
Researchers also observed a growing trend within the botnet ecosystem: competition among cybercriminals. C0XMO contains routines specifically designed to detect and remove other malware families already present on an infected device. From an attacker's perspective, every compromised system is a valuable asset. Sharing it with a rival botnet means losing resources that could otherwise be used for distributed denial-of-service (DDoS) attacks, malware distribution, credential theft, or future cyber operations.
The threat also employs a standalone Python-based scanner to identify new vulnerable targets. The scanner searches for exposed devices and attempts multiple infection methods, including exploiting weak SSH and Telnet credentials. This level of automation enables the botnet to spread rapidly and efficiently across the internet.
Botnets such as C0XMO remain a persistent threat to the global internet ecosystem. Every compromised router, IP camera, digital video recorder, or IoT gateway becomes part of a remotely controlled network that can be weaponized for DDoS attacks, malware delivery, proxy services, or other criminal activities.
The campaign once again highlights one of the biggest challenges facing the Internet of Things: a lack of updates. Millions of devices continue to operate with vulnerable firmware years after security patches have been released. In many cases, users are unaware that their routers require regular maintenance. Others simply continue using devices that have reached end-of-life status and no longer receive vendor support.
Security experts recommend updating router and IoT firmware whenever possible, disabling unnecessary internet-facing services, changing default credentials, and restricting remote access. These basic security measures remain among the most effective ways to prevent devices from being recruited into botnets.
However, a difficult question remains: what should users do when security updates are no longer available? Unless an alternative firmware such as DD-WRT, OpenWrt, or FreshTomato can be safely installed—a possibility that exists for only a limited number of devices—the most responsible option may be to replace the hardware entirely. While this requires an additional investment, continuing to operate unsupported network equipment can expose both users and organizations to significant security risks.
Devices commonly capable of running alternative firmware include popular home routers such as the
- Linksys WRT54G
- Linksys WRT1900ACS
- Netgear R7000 Nighthawk
- Netgear R7800
- TP-Link Archer C7
- TP-Link Archer C2600
- ASUS RT-AC68U
- ASUS RT-AC88U
- Several Buffalo WZR series models.
- Small office routers
- VPN gateways
- Wireless bridges, access points, and certain Linux-based IoT platforms can also support alternative firmware solutions.
Beyond routers, attackers frequently target IP cameras, DVR/NVR surveillance systems, IoT gateways, Wi-Fi repeaters, industrial automation equipment, modified Android TV devices, and customer-premises equipment (CPE) provided by internet service providers.
These devices are particularly attractive targets because they are often powered on 24 hours a day, connected directly to the internet, poorly monitored, rarely updated, and protected by weak or default credentials. For cybercriminals operating botnets, they represent a nearly ideal source of persistent computing resources.
The emergence of C0XMO demonstrates that threat actors continue to search for forgotten and vulnerable devices to expand their malicious networks. As long as millions of IoT devices remain unpatched and exposed, new botnet variants will continue to find opportunities to transform the world's connected infrastructure into a massive cybercriminal army.
Are you affected by this new exploit? Maybe your`s work network?