C0XMO botnet – A modular botnet variant dubbed C0XMO is spreading by exploiting a DD-WRT router firmware flaw, then probing exposed systems for weak Telnet and SSH credentials. Security researchers say it can deploy different binaries across multiple CPU architectures, launc
For days, a compromised router doesn’t just sit quietly in the background. With C0XMO, it becomes a launchpad—first for its own takeover, then for a wider hunt across the internet for more weakly protected devices.
Fortinet researchers say the new Gafgyt botnet variant. called C0XMO. targets DD-WRT router firmware by exploiting CVE-2021-27137. a buffer overflow caused by insufficient user input. They describe a key detail that makes defenders uneasy: the exploit can be used without authentication. allowing the malware to execute arbitrary code.
The samples they analyzed weren’t limited to one kind of device. The researchers found C0XMO built for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures. That flexibility matters because it allows the botnet to move beyond routers. with targeting described across DVRs. routers. video management platforms. and Android-based devices.
Fortinet observed the botnet targeting a Japanese technology company. but the source IP address tied to the activity pointed to a device located in Germany. In the malware world. that kind of mismatch is common—networks and routing can obscure the origin—but it also underlines how quickly compromised infrastructure can look “elsewhere” while the damage lands closer to home.
C0XMO’s design is built to evolve. Fortinet highlights its modular architecture. which can let operators update exploitation techniques. add or remove targeted architectures. and expand lateral movement capabilities independently of the main payload. The botnet. at its core. is a DDoS tool: it supports 19 methods. including UDP/TCP/SYN/ICMP floods. “ping of death. ” NTP/Memcached amplification. Discord voice UDP floods. and Valve-specific floods.
After the initial compromise, distribution relies on more than just the exploit. The botnet downloads a Python script that installs additional packages: ‘requests. ’ ‘paramiko. ’ and ‘beautifulsoup4.’ Those dependencies support network scanning and communication. as well as activity over SSH and telnet protocols.
From there, the scanner uses worker threads to randomly probe internet-facing systems on common ports. The list includes 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 7547, 8080, 8443, 8888, and others. When it finds a target. C0XMO attempts to brute-force weak Telnet and SSH credentials. detects the CPU architecture. and deploys a compatible C0XMO binary.
To do all of that. the script includes almost two dozen functions covering tasks such as scanning. exploiting HTTP and ADB-based vulnerabilities. detecting the CPU architecture. handling SSH/telenet login. and checking IP addresses. The researchers say the script’s main purpose is lateral movement—getting from one foothold to the next.
Once inside, the malware establishes persistence in multiple places. C0XMO copies itself into hidden locations such as ‘/tmp/.sys,’ ‘/var/tmp/.sys,’ and ‘/dev/shm/.sys,’ then creates cron jobs that relaunch it every 15 minutes. It also modifies shell startup files to enable automatic execution.
It then turns on the competition. Fortinet reports that C0XMO scans running processes to identify competitor botnet clients on the host. alongside red-team tools. programming tools. and network services that could interfere with its operation. When it finds them. it terminates that activity by deleting binaries and removing persistence mechanisms. including cron jobs. init scripts. system services. and shell profile entries.
That combination—lateral scanning plus active cleanup—helps explain how C0XMO can stick around long enough to matter. After access. the malware connects to a hardcoded command-and-control (C2) address using a custom multi-stage handshake that includes magic strings and shared secrets. From there, it waits for instructions.
Commands supported by the C0XMO botnet include heartbeat checks, starting and stopping scans, and launching DDoS attacks using one of the 19 supported methods.
Defenders aren’t left with vague advice, either. Fortinet’s general recommendations include keeping devices up to date, using unique admin credentials, and disabling remote access capabilities when not needed.
Fortinet describes C0XMO as having “a considerably more advanced architecture and feature set compared to earlier IoT botnets.” The researchers also say its design points to “a greater degree of operational sophistication and complexity than typical Gafgyt malware.” In practice. that means a botnet that doesn’t just spread—it adapts. picks the right binary for the device it finds. and tries to erase anything that could stop it.
C0XMO Gafgyt botnet DD-WRT CVE-2021-27137 DDoS Fortinet IoT malware SSH brute force Telnet brute force command and control
So wait, DD-WRT routers got hacked with just… no login? That’s insane.
If they can hit Telnet and SSH weak passwords, that’s honestly on people who never change stuff. But also why isn’t the firmware fixed already? Seems like this has been known.
I don’t get the Germany/Japan thing. Like if it targeted a Japanese company but the IP was in Germany then who’s actually doing it? Could be one of those VPN things right? Either way my internet already feels slow.
19 methods of DDoS sounds like overkill. They mention Android and DVRs too like, so basically all the dumb devices in my house are at risk? Also C0XMO sounds like something Star Wars lol. I swear these bots just keep evolving and then they blame “buffer overflow” like that helps regular people.