A newly discovered botnet called C0XMO is raising concerns across the cybersecurity community after researchers uncovered its ability to exploit vulnerable DD-WRT routers, spread across multiple device types, and aggressively remove competing malware from infected systems. Based on the well-known Gafgyt malware family, C0XMO targets a wide range of processor architectures, making it highly adaptable and capable of compromising routers, DVRs, Android-based devices, and other internet-connected equipment.
What makes C0XMO particularly noteworthy is its modular design. Rather than relying on a single piece of malware, it uses separate components for scanning, propagation, and attack execution. Researchers found that the botnet exploits CVE-2021-27137, a vulnerability affecting older DD-WRT firmware, while also attempting to brute-force weak Telnet and SSH credentials on exposed devices. This flexible architecture allows attackers to continually evolve their techniques and expand the botnet's reach.
Once a device is compromised, C0XMO works hard to maintain control. The malware establishes persistence through hidden files, scheduled tasks, and startup scripts. It then scans the system for competing botnets, security tools, and other processes that could interfere with its operation, removing them to ensure exclusive access to the device. This "survival of the fittest" approach highlights the increasing sophistication of modern IoT malware and the fierce competition among cybercriminal groups.
For network administrators, this discovery serves as another reminder that routers and embedded devices require the same security attention as servers and workstations. Keeping firmware up to date, disabling unnecessary remote access services, and using strong unique credentials remain critical defenses against threats like C0XMO. The botnet's advanced capabilities demonstrate how rapidly IoT-focused malware is evolving and why proactive maintenance is essential for protecting both home and business networks.
