A fresh router botnet story is a reminder that old firmware never really disappears from the internet. BleepingComputer reported that a new Gafgyt-based variant called C0XMO is targeting DD-WRT routers and then branching out toward DVRs, routers, video management systems, Android-based devices, and other internet-facing hardware.
The issue is not just that C0XMO can infect a router. The more worrying part is how broad and modular the malware looks. Researchers found samples for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures. That tells us the operators are not aiming at one narrow device family. They are building a flexible toolset for messy real-world networks where old firmware, weak passwords, exposed management panels, and forgotten devices all sit together.
This fits a pattern we have covered before in our Cisco SD-WAN zero-day story: network gear has become one of the most attractive targets because it is powerful, always on, and often patched slower than laptops or phones.
What makes C0XMO different
C0XMO still behaves like a DDoS botnet at its core. It can launch multiple flood methods and wait for commands from its controller. But the newer details make it more serious than a simple copy-and-paste botnet. The malware uses a scanner, looks for common remote access ports, attempts weak Telnet and SSH credentials, checks the CPU architecture, and then deploys a matching binary. That kind of workflow is built for scale.
| Layer | What C0XMO does | Why it matters |
|---|---|---|
| Entry | Targets DD-WRT and other exposed systems. | Old routers can become the first foothold. |
| Spread | Scans SSH, Telnet, HTTP, and other common ports. | Flat networks give it more room to move. |
| Persistence | Uses hidden locations and scheduled relaunches. | Simple rebooting may not remove it. |
| Competition | Looks for rival malware and removes it. | The infected device becomes more fully controlled. |
The competitor-killing behavior is especially telling. Botnets are not only fighting defenders. They are also fighting each other for the same low-maintenance devices. If a compromised router can generate attack traffic, act as infrastructure, or hide scans, it becomes a useful piece of someone else's business.
That also means defenders should not treat a slow router or an odd traffic spike as a harmless nuisance. The early signs can be small: strange outbound connections, repeated login attempts, changed DNS behavior, unknown scheduled tasks, or a device that keeps returning to the same suspicious process after reboot. Home users may never check those logs, but small offices and managed service providers should. A router compromise can quietly sit outside the normal endpoint detection stack, which is exactly why attackers like it.
What owners should do now
The first move is boring but important: check whether the router still receives firmware updates. If it does, install them. If it does not, the device should not be exposed to the internet and may need to be replaced. Old routers often stay in service because they still pass traffic, but security support is what decides whether they belong in a modern network.
Remote administration should be disabled unless there is a real operational reason for it. Default passwords should be gone. Telnet should not be reachable. SSH should be restricted and protected with strong credentials or keys. For offices, guest Wi-Fi, cameras, storage boxes, and building systems should not all share the same trusted network.
Small teams should also keep a simple device inventory. It does not need to be fancy. A spreadsheet with model, firmware version, owner, admin URL, support status, and replacement date is enough to catch the forgotten boxes. The worst router in the office is usually not the main one people think about. It is the old travel router, DVR, access point, or test device that was plugged in once and never removed.
The practical takeaway is simple: router security is now endpoint security. A forgotten edge device can be the quietest machine in the building and still become the loudest participant in a DDoS attack.
