C0XMO is a modular botnet malware derived from Gafgyt that targets DD-WRT router firmware and a wide range of devices with different CPU architectures (ARM, MIPS, PowerPC, x86, etc.). It exploits CVE-2021-27137, a buffer overflow vulnerability allowing unauthenticated arbitrary code execution. The malware uses a Python-based scanner to identify vulnerable devices by scanning common ports and brute-forcing weak Telnet/SSH credentials. Upon infection, it installs itself in hidden directories, creates persistence mechanisms, and removes competing malware and interfering tools. C0XMO supports multiple DDoS attack vectors and communicates with a C2 server via a custom handshake protocol. Its advanced modular design allows operators to update exploitation methods and expand lateral movement capabilities independently.

C0XMO enables attackers to compromise a variety of networked devices, primarily routers running DD-WRT firmware, to build a botnet capable of launching diverse and powerful DDoS attacks. The malware's ability to remove competing malware and security tools increases its persistence and control over infected devices. Exploitation requires no authentication, increasing the risk to vulnerable devices with exposed services and weak credentials. The botnet's modular architecture and multi-architecture support enhance its propagation and operational sophistication.

No official patch status is provided in the available data. The primary mitigation recommendations are to keep devices updated with the latest firmware, use unique and strong administrative credentials, and disable remote access services such as Telnet and SSH when not required. Network defenders should verify that devices are not vulnerable to CVE-2021-27137 and monitor for signs of compromise. Since this is not a cloud service, remediation depends on device owners applying these best practices and firmware updates if available. Patch status is not yet confirmed — check vendor advisories for current remediation guidance.