C0XMO Botnet Is Actively Exploiting a DD-WRT Router Flaw Right Now

What's Happening

A newly identified botnet called C0XMO is actively exploiting a vulnerability in DD-WRT router firmware to compromise consumer and prosumer routers at scale. C0XMO is a variant of the long-running Gafgyt malware family — but this iteration is notably aggressive: once it owns a device, it actively hunts for and kills competing malware processes already running on the hardware. That behavior signals a mature, resource-contested operation where the operators are protecting their investment.

What makes C0XMO especially dangerous is its cross-architecture reach. The botnet is designed to move laterally to device types beyond the initial DD-WRT target, supporting multiple CPU architectures (x86, ARM, MIPS, and others). Routers are just the entry point — the malware is built to propagate through whatever IoT and embedded hardware it can reach on the same network segment.

Why This Matters

DD-WRT is not niche firmware. It's the go-to open-source replacement for a huge portion of home lab routers, small business edge devices, and self-hosted setups precisely because it exposes features that stock vendor firmware locks away. That's also the attack surface: advanced features like remote management interfaces, custom DNS, and VPN endpoints are often left enabled by technically sophisticated users who set them up and then forget about them.

A compromised DD-WRT router is a catastrophic position to be in. The router sits upstream of everything — it terminates your VPN, resolves DNS, sees all unencrypted traffic, and can silently intercept or redirect connections before any endpoint security tool ever gets a look. Botnet operators running C0XMO can use your router for DDoS traffic amplification, credential-harvesting proxy networks, or as a pivot point deeper into your LAN. Because the compromise lives in router firmware rather than on a managed OS, it typically survives reboots and is invisible to any antivirus scanning your workstations.

The lateral movement capability to other CPU architectures means a single compromised router could become a beachhead for NAS devices, IP cameras, or industrial controllers on the same network.

What to Do Right Now

1. Update DD-WRT firmware immediately. Go to dd-wrt.com and pull the latest build for your router model. If your hardware is no longer receiving updates, treat it as end-of-life and replace it.

1. Disable remote management. In DD-WRT, go to Administration → Management and confirm that remote web access (HTTP/HTTPS) is disabled. If you need remote access, route it through a VPN rather than exposing the admin interface directly.

1. Check for indicators of compromise. Look for unexpected outbound connections, unusually high CPU or bandwidth usage, and unfamiliar processes if your firmware exposes a shell. A factory reset followed by a clean firmware flash is the safest remediation if you suspect infection.

1. Audit open services. Telnet, SSH, and UPnP are common Gafgyt entry vectors. Disable anything you're not actively using.

1. Segment your network. IoT devices and anything you don't fully trust should sit on an isolated VLAN — if the router itself is compromised, segmentation at the switch level limits blast radius.

This is an in-the-wild, active exploitation campaign against hardware that doesn't auto-update. Manual action is required — don't wait for a vendor notification that isn't coming.