THE Security Affairs Malware Newsletter Round 101 has drawn attention to a new variant of the Gafgyt botnet labelled C0XMO, which is being used to compromise DD‑WRT routers and launch distributed denial of service attacks. The variant was highlighted alongside other threats such as IronWorm and Miasma in the regular security roundup. Researchers note that C0XMO leverages a known flaw in router firmware to gain foothold without authentication.
Technical analysis from Fortinet traces the abuse to CVE‑2021-27137, a vulnerability affecting certain DD‑WRT builds that carries no assigned CVSS score but permits unauthenticated remote code execution. The botnet injects a compact Python script that scans for exposed devices, installs the malicious payload and contacts a custom command‑and‑control server. This script operates independently of the main malware body, giving the actor flexibility to update functions without rewriting the core.
C0XMO distinguishes itself by incorporating a competitor‑killing module that seeks out and removes other malware families present on the same host before settling in. Once cleared, the hijacked routers are marshalled into a swarm capable of generating volumetric UDP, SYN and HTTP floods. The modular design allows the author to toggle scanning, payload delivery and attack vectors on demand, reflecting a maturing approach to IoT botnet construction.
Observations from threat‑intel feeds indicate active exploitation began in March 2026 and has persisted through the first half of June, with no identified threat actor claiming responsibility. The activity appears consistent with financially motivated groups renting out DDoS capacity on underground markets, exploiting the abundance of unpatched home and small‑office routers.
The emergence of C0XMO underscores a broader trend where botnets augment their survivability by eliminating rival infections, thereby consolidating resources under a single control structure. This tactic raises the potential impact of each compromised device and complicates remediation efforts for network defenders who must now contend with layered malware removal.
Defenders should begin by verifying the firmware version running on all DD‑WRT devices and applying the latest vendor‑provided updates where available. Disabling remote administration interfaces, restricting LAN‑only access to router consoles and placing IoT assets in segregated VLANs can reduce the attack surface. Continuous monitoring for outbound connections to unusual ports or domains associated with the C0XMO C2 infrastructure is essential.
Additionally, network administrators are advised to deploy behavioural detection tools that can spot the distinctive Python scanner used by the botnet, block known malicious IP addresses observed in Fortinet’s research and share any indicators of compromise with trusted information‑sharing communities. Keeping anti‑malware signatures current and conducting periodic router configuration audits will help prevent reinfection once the initial foothold is removed.