Back to Intelligence

C0XMO Botnet: Detecting DD-WRT Exploitation and Rival Malware Termination

SA
Security Arsenal Team
June 7, 2026
6 min read

Introduction

A new variant of the Gafgyt botnet, dubbed C0XMO, is actively targeting edge infrastructure, specifically devices running DD-WRT firmware. This campaign is notable for its aggressive self-preservation tactics and broad architecture support (MIPS, ARM, x86, PowerPC, SH4). Once it establishes a foothold by exploiting a flaw in the DD-WRT management interface, C0XMO neutralizes competing malware—specifically other Mirai and Gafgyt variants—by manipulating firewall rules to cut them off from their command-and-control (C2) servers.

For security practitioners, this represents a shift in IoT malware operations: we are seeing automated "territorial" behavior where attackers actively hunt and disable rival payloads to monopolize device resources. Defenders must prioritize the identification of unauthorized iptables modifications and anomalous process execution on network edge devices.

Technical Analysis

Affected Products and Platforms

  • Firmware: DD-WRT (specific versions leveraging the vulnerable management interface component).
  • Architectures: Multi-architecture payload support including MIPS, ARM, x86, PowerPC, and SuperH.
  • Device Types: Small Office/Home Office (SOHO) routers, IoT gateways, and Linux-based embedded devices.

Vulnerability and Exploitation

The C0XMO botnet spreads by exploiting a flaw in the DD-WRT router firmware. While the specific CVE identifier is not disclosed in the current intelligence, the attack vector involves the web management interface or remote management services. Successful exploitation allows the attacker to inject and execute shell commands.

Attack Chain:

  1. Scanning: The botnet scans for exposed DD-WRT management interfaces.
  2. Exploitation: It leverages the firmware flaw to execute a shell command.
  3. Payload Delivery: The device downloads a binary compiled for its specific CPU architecture (MIPS/ARM/etc.) via wget or curl.
  4. Execution & Persistence: The binary is executed, often persisting via cron or init scripts.
  5. Competition Removal: The malware invokes iptables to block ports (commonly 23, 80, 8080) used by rival botnets, effectively killing their C2 communication.
  6. C2 Beaconing: The compromised device connects to the C0XMO C2 server to await DDoS instructions.

Exploitation Status: Confirmed active exploitation in the wild.

Detection & Response

SIGMA Rules

YAML
---
title: C0XMO Botnet - Suspicious iptables Input Chain Drop
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects attempts to block ports commonly used by rival botnets (Telnet/HTTP) which is a behavior observed in C0XMO variants to kill competing malware.
references:
 - https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.defense_evasion
 - attack.t1562.004
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   Image|endswith:
     - '/iptables'
     - '/busybox'
   CommandLine|contains:
     - '-A INPUT'
     - '-I INPUT'
   CommandLine|contains:
     - '-j DROP'
     - '-j REJECT'
   CommandLine|contains:
     - '--dport 23'
     - '--dport 80'
     - '--dport 8080'
 condition: selection
falsepositives:
 - Legitimate firewall administration blocking management interfaces from WAN
level: high
---
title: C0XMO Botnet - Multi-Arch Binary Download
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects the download of binaries to temporary directories on Linux routers, a common stage in C0XMO infection chains.
references:
 - https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1105
logsource:
 category: process_creation
 product: linux
detection:
 selection_tool:
   Image|endswith:
     - '/wget'
     - '/curl'
     - '/tftp'
 selection_dest:
   CommandLine|contains:
     - '/tmp/'
     - '/var/tmp/'
     - '/dev/shm/'
   CommandLine|contains:
     - '.mips'
     - '.arm'
     - '.x86'
     - '.sh4'
 condition: all of selection_*
falsepositives:
 - Legitimate system updates or package installations
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious iptables modifications indicative of C0XMO rival killing
Syslog
| where ProcessName in ("iptables", "busybox")
| where SyslogMessage has "-A INPUT" and (SyslogMessage has "-j DROP" or SyslogMessage has "-j REJECT")
| where SyslogMessage has_any ("--dport 23", "--dport 80", "--dport 8080")
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| extend IoC = "iptables_drop_rule"
// Hunt for binary downloads to /tmp common in IoT botnets
Syslog
| where ProcessName in ("wget", "curl", "busybox", "tftp")
| where SyslogMessage has "/tmp/" or SyslogMessage has "/var/tmp/"
| where SyslogMessage matches regex @"\.(mips|arm|x86|sh4|ppc)"
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| extend IoC = "binary_download"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for C0XMO indicators: Suspicious processes and iptables rules
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "iptables" 
   AND CommandLine =~ "-j (DROP|REJECT)" 
   AND CommandLine =~ "--dport (23|80|8080)"

SELECT Pid, Name, Exe, CommandLine
FROM pslist()
WHERE Exe =~ "/tmp/.*\.(mips|arm|sh4|x86)" 
   OR Exe =~ "/var/.*\.(mips|arm|sh4|x86)"

-- Check for established network connections to non-standard high ports (potential C2)
SELECT Fd, Family, RemoteAddr, RemotePort, State
FROM listen_sockets()
WHERE RemotePort > 1024 AND State = "ESTABLISHED"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation script for C0XMO/Gafgyt infections on DD-WRT/Linux routers
# Run with root privileges

echo "[*] Starting C0XMO Remediation Check..."

# 1. Identify and kill suspicious processes in /tmp or /var
echo "[+] Scanning for suspicious malicious processes..."
MALICIOUS_PIDS=$(ps aux | grep -E '(wget|curl|tftp|/tmp/|/var/)' | grep -E '\.(mips|arm|sh4|x86)' | grep -v grep | awk '{print $2}')

if [ -n "$MALICIOUS_PIDS" ]; then
    echo "[!] Killing potential botnet PIDs: $MALICIOUS_PIDS"
    kill -9 $MALICIOUS_PIDS
else
    echo "[+] No suspicious processes found."
fi

# 2. Remove malicious binaries from common drop locations
echo "[+] Cleaning up malicious binaries in /tmp and /var..."
find /tmp -type f -name '*.*' -exec file {} \; | grep -i 'elf' | cut -d: -f1 | xargs -r rm -f
find /var -type f -name '*.*' -exec file {} \; | grep -i 'elf' | cut -d: -f1 | xargs -r rm -f

# 3. Reset iptables to a safe default (Adjust ports according to your policy)
echo "[+] Flushing iptables to remove rival blocking rules..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Re-enable basic stateful firewalling
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Block inbound management from WAN (Example: eth1 is WAN)
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 23 -j DROP

echo "[*] Remediation complete. Please verify firmware version and change credentials."

Remediation

1. Firmware Updates and Patching: Immediately check for and apply the latest firmware updates for DD-WRT devices. If the vendor has released a patch for the management interface flaw (referenced in recent advisories), apply it immediately. If running an end-of-life version, migrate to a supported build or replacement hardware.

2. Disable Remote Management: Ensure that remote administration (SSH/Telnet/HTTP) is disabled from the WAN interface. Access to the router management UI should be restricted to local LAN connections only.

3. Credential Hygiene: Change default administrative credentials immediately. Enforce strong, complex passwords for both the web interface and SSH access. Ensure that Telnet is disabled in favor of SSH if remote access is absolutely required internally.

4. Network Segmentation: Segment IoT and router management interfaces into a separate VLAN. This limits the ability of compromised edge devices to perform lateral movement into the core network.

5. Outbound Traffic Filtering: Implement egress filtering on firewalls to block devices from making unnecessary connections to non-standard high ports or known malicious IPs/IPs lacking reputation, preventing C2 beaconing.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachdd-wrtbotnetlinux-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action