C0xmo Botnet Exploits DD-WRT Flaw to Build IoT DDoS Army

A sophisticated new variant of the Gafgyt botnet has been targeting DD-WRT routers through an unpatched UPnP vulnerability, conscripting them into a distributed denial-of-service network while actively eliminating competing malware on compromised devices.

Fortinet's FortiGuard Labs discovered the malware, dubbed C0xmo, exploiting CVE-2021-27137—a stack buffer overflow in DD-WRT's UPnP service that requires no authentication. Attackers trigger the flaw by sending malformed M-SEARCH requests on UDP port 1900, gaining arbitrary code execution without any credentials.

How the Attack Works

C0xmo's initial access relies on the oversized ST:uuid value in UPnP discovery packets. Once inside, the malware downloads a Python-based loader that scans the local network and internet-facing systems across common service ports: 22, 23, 80, 443, 7547, 8080, 8443, and 8888.

The loader determines each target's CPU architecture and deploys architecture-specific binaries. FortiGuard researchers found samples compiled for ARM, MIPS, PowerPC, SuperH, x86, and x86-64—suggesting the operators intend to maximize their device pool across routers, DVRs, video management platforms, and Android devices.

This cross-platform approach mirrors what we've seen with xlabs_v1, another IoT botnet discovered last month that also targeted multiple architectures. The trend suggests botnet operators are increasingly investing in broad compatibility to maximize their zombie fleets.

19 DDoS Attack Methods

C0xmo supports an extensive arsenal of DDoS techniques, including:

• UDP/TCP/SYN/ICMP floods
• NTP and Memcached amplification
• Discord voice UDP floods
• Valve Source Engine floods
• FiveM game server floods
• OVH bypass techniques
• Cloudflare bypass HTTP floods
• Ping of death attacks

The Discord and gaming server targets indicate the operators may be involved in DDoS-for-hire services, where disrupting voice channels and game servers commands premium prices.

Killing the Competition

What sets C0xmo apart from typical IoT malware is its aggressive territorial behavior. Upon execution, the malware scans running processes for rival botnet clients—including other Gafgyt and Mirai variants—and terminates them. It doesn't stop there.

C0xmo removes competitors' persistence mechanisms systematically:

• Cron jobs scheduling reinfection
• init.d service scripts
• rc.local entries
• systemd service files
• Shell profile injections in .bashrc and .profile

The malware also hunts for red-team tools, programming utilities, and network services that could interfere with its operation. This scorched-earth approach ensures C0xmo maintains exclusive control over each compromised device.

Beyond DD-WRT

While CVE-2021-27137 serves as the primary entry point, C0xmo's operators have embedded exploits for several other vulnerabilities:

• CVE-2015-2051: D-Link HNAP SOAPAction-Header command injection
• CVE-2022-35914: GLPI htmLawed code injection
• CVE-2016-15047 and CVE-2025-34054: Avtech DVR authentication bypass and command execution

This multi-exploit approach allows the botnet to recruit devices even when specific vendors patch individual flaws. The embedded exploit chain spans consumer routers, enterprise IT management tools, and surveillance equipment.

Persistence That Survives Reboots

Once installed, C0xmo implements a four-stage persistence mechanism:

1. Creates hidden copies in /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, and $HOME/.sys
2. Establishes cron jobs executing every 15 minutes
3. Injects loader commands into shell profiles
4. Monitors for termination and automatically respawns

The multi-layered approach makes removal challenging without a complete firmware reflash, and many consumer router owners lack the technical knowledge to perform such recovery.

Command and Control

FortiGuard identified three C2 servers operating from the 85.215.x.x and 176.100.x.x IP ranges. The infrastructure appears professionally maintained, with researchers noting the modular architecture demonstrates "considerably more advanced" design compared to earlier Gafgyt variants.

Why This Matters

Router-based botnets remain a persistent threat because home and small-office devices rarely receive security updates. Many DD-WRT installations running vulnerable firmware will likely remain unpatched indefinitely.

This attack pattern continues what we've tracked with state-sponsored router compromises like FrostArmada. While APT28's campaign targeted routers for credential theft, C0xmo demonstrates how the same access can power DDoS infrastructure. The common thread: commodity router vulnerabilities enabling large-scale attacks.

Mitigations

Organizations and home users running DD-WRT should:

• Disable UPnP entirely if not required for specific applications
• Block UDP port 1900 at the network perimeter
• Update firmware to the latest DD-WRT builds that address CVE-2021-27137
• Change default credentials on all network devices
• Disable remote management interfaces exposed to the internet

For compromised devices, a full firmware reflash is the only reliable remediation. Simply rebooting won't remove C0xmo's persistence mechanisms.

The full technical analysis from FortiGuard Labs includes IOCs and YARA rules for detection.