C0XMO Botnet Spreads via DD-WRT Router Flaw, Kills Rival Malware

The emergence of C0XMO underscores how IoT botnets are evolving beyond simple malware droppers into highly adaptable platforms. By targeting the widely used DD‑WRT firmware, the botnet leverages a known buffer‑overflow (CVE‑2021‑27137) that requires no authentication, allowing rapid code execution on routers, DVRs, and even Android‑based devices. Its multi‑architecture payloads—covering ARM, MIPS, PowerPC, SuperH, x86 and x86_64—demonstrate a level of engineering previously seen only in more mature threat actors, expanding the attack surface across consumer and enterprise networks alike.

C0XMO’s operational workflow combines aggressive scanning, credential stuffing, and a custom Python‑based installer that pulls in networking libraries for SSH and Telnet exploitation. Once a device is compromised, the malware embeds itself in hidden directories, creates cron jobs for five‑minute relaunches, and modifies shell profiles to ensure persistence. Uniquely, it actively hunts competing botnet processes, deleting binaries and removing their persistence mechanisms, effectively monopolizing the host’s resources. This aggressive self‑preservation not only boosts the botnet’s own DDoS capacity but also reduces noise for defenders, making detection more challenging.

For security teams, C0XMO’s sophistication signals a need for stricter edge hardening. Regular firmware updates, unique administrative credentials, and the disabling of unnecessary remote‑access services are essential first steps. Network monitoring should include anomalous traffic on ports commonly scanned by the botnet (22, 23, 80/443, 7547, 8080, 8443) and the presence of unusual cron entries or hidden files. As IoT devices continue to proliferate, the industry must adopt a zero‑trust mindset for all internet‑facing equipment to mitigate the risk of large‑scale DDoS campaigns driven by advanced botnets like C0XMO.