A new Gafgyt botnet variant named C0XMO is actively targeting DD-WRT router firmware, with the capability to spread across multiple device types and processor architectures. The malware eliminates competing infections as it propagates.
Security researchers have identified C0XMO, an evolving strain of the Gafgyt botnet family, exploiting vulnerabilities in DD-WRT router firmware to establish infections. The botnet demonstrates notable technical sophistication through its multi-architecture support, allowing it to compromise devices beyond routers.
DD-WRT is a Linux-based firmware replacement popular among users seeking enhanced router functionality and control. The vulnerability being leveraged remains actively exploited, making affected systems significant targets for compromise.
A distinguishing characteristic of C0XMO is its aggressive behavior toward competing malware. Upon infection, the botnet actively terminates rival malware processes and infections—a competitive tactic designed to monopolize infected device resources. This behavior indicates operators prioritizing botnet stability and resource efficiency.
The multi-architecture capability is particularly noteworthy. Traditional botnets often target specific processor types, limiting their spread potential. C0XMO's ability to execute across various CPU architectures expands its attack surface considerably, enabling infection of diverse hardware platforms with different processing capabilities.
Gafgyt, the parent botnet family, has maintained a presence in the threat landscape for years, known for DDoS capabilities and credential-harvesting attacks. C0XMO represents a continued evolution of this family, incorporating lessons from previous variants and adapting to target commonly modified router firmware.
Users running DD-WRT should immediately verify firmware versions and apply available security patches. System administrators should monitor network traffic for signs of compromise, including unusual outbound connections or performance degradation. Router reset to factory settings may be necessary for confirmed infections.
The targeting of DD-WRT highlights a persistent vulnerability in modified firmware ecosystems. While such platforms offer legitimate benefits to advanced users, they often receive security updates less frequently than manufacturer-supported versions, creating windows of exploitation.
Organizations with network infrastructure using DD-WRT should prioritize rapid patching and consider network segmentation to limit botnet spread potential. The C0XMO variant underscores the ongoing threat from commodity botnet malware targeting network infrastructure vulnerabilities.
Security experts recommend switching from traditional passwords to passkeys—including smartphone PINs and biometric authentication—despite user skepticism about whether a simple PIN can truly outperform complex passwords.
A school shooting survivor is suing an artificial intelligence company whose weapon detection system failed to identify a firearm during an attack. The lawsuit raises critical questions about the accuracy standards required for safety-critical AI systems.
The Silent Ransom Group is conducting social engineering attacks against U.S. law firms and professional services companies, stealing data within hours of initial contact through fake IT support calls, according to Mandiant.
Several UK police forces have been ordered to stop using AI to draft court statements due to accuracy concerns. Officials warn that unreliable AI outputs could compromise legal proceedings.