Fortinet FortiGuard Labs publicly disclosed research into C0XMO, a new variant of the Gafgyt botnet that exploits CVE-2021-27137 — an unauthenticated buffer overflow in DD-WRT router firmware — to recruit compromised routers into a distributed denial-of-service network. Among C0XMO’s distinguishing capabilities is a competitive eviction feature: the botnet actively hunts down and terminates rival malware clients on every host it compromises, wiping out competing botnets and red-team tools to claim exclusive control of the infected infrastructure.
C0XMO’s CVE-2021-27137 Exploit Chain and Cross-Platform Propagation
The initial compromise requires no credentials. CVE-2021-27137 is an unauthenticated buffer overflow in DD-WRT firmware that allows arbitrary code execution — an attacker with network access to the router’s management interface can compromise the device without any authentication step. Fortinet’s discovery of C0XMO was triggered by attacks targeting a Japanese technology company, with the command-and-control infrastructure traced to Germany.
Once installed, C0XMO downloads a Python script that launches internet-scale scanning across ports 22, 23, 80, 443, 7547, 8080, 8443, and 8888, followed by brute-force credential attacks against Telnet and SSH interfaces on discovered devices. The propagation model targets not just the initial DD-WRT router but any network-exposed device reachable from the compromised host. C0XMO’s multi-architecture design covers ARM, MIPS, PowerPC, SuperH, x86, and x86_64 — encompassing virtually every CPU architecture deployed in consumer and industrial IoT hardware — allowing the botnet to enlist devices across a wide range of router and embedded-system hardware generations.
C0XMO’s Competitive Eviction: Terminating Rival Botnets and Red-Team Tools
C0XMO’s most operationally distinctive feature is its systematic elimination of competing malware. On every host it compromises, the botnet identifies and terminates rival botnet client processes, including red-team tools that may indicate an active security engagement on the device. It then deletes the competing binaries and removes their persistence mechanisms — including cron jobs and system services — leaving C0XMO as the sole malware presence with exclusive access to the compromised device’s resources and network connection.
This behavior reflects a sophisticated understanding of the criminal IoT infrastructure marketplace: compromised routers and IoT devices are valuable commodities, and shared access with competing botnets reduces the bandwidth, availability, and reliability available for DDoS operations. By evicting competitors, C0XMO maximizes the exclusive yield from each infected device. The same eviction logic applied to red-team tools is a secondary effect — the botnet does not distinguish between competing malware and legitimate security software based on purpose, only on the presence of processes that conflict with its resource ownership.
19 DDoS Methods Including NTP, Memcached, and Discord Voice UDP Amplification
C0XMO supports 19 distinct DDoS attack methods, a toolkit that enables its operators to adapt attack patterns to whatever mitigation measures a target has deployed. The methods include UDP, TCP, SYN, and ICMP floods; ping-of-death attacks; and protocol amplification techniques exploiting NTP, Memcached, and Discord voice UDP — a range that covers volumetric floods, state-exhaustion attacks against stateful infrastructure, and amplification vectors that multiply attack bandwidth by leveraging misconfigured third-party services as unwitting reflectors.
The breadth of the DDoS toolkit — and the modular design that allows operators to update exploitation techniques and adjust targeted architectures independently of the main payload — reflects C0XMO’s construction as a commercial-quality criminal service rather than a proof-of-concept tool.
DD-WRT’s Deployment Scale and the Persistent Gap in Router Firmware Update Rates
DD-WRT is one of the most widely deployed third-party router firmware platforms, installed on consumer and small-office networking equipment by users seeking advanced configuration features beyond those offered by stock manufacturer firmware. The estimated scale runs to several million deployments worldwide. Firmware update rates for home routers and small-office networking equipment are historically very low — a pattern driven by the combination of update processes that require manual intervention and user populations that treat routers as set-and-forget infrastructure.
CVE-2021-27137 dates to 2021, meaning the underlying vulnerability has been addressable for several years. The C0XMO campaign exploiting it confirms the operational reality: vulnerability disclosure and patch availability do not automatically translate into remediation across a fragmented, largely unmanaged device population. The router population that DD-WRT serves — technically proficient users who install alternative firmware — might be expected to apply patches more reliably than typical consumers, yet the existence of an active campaign exploiting a multi-year-old CVE suggests otherwise.
C0XMO’s Gafgyt codebase improvements, cross-platform reach, modular update capability, and competitive eviction feature collectively represent an evolution of the IoT botnet threat established by Mirai’s emergence. DD-WRT users running firmware versions prior to the CVE-2021-27137 fix remain vulnerable to no-authentication compromise.
