New DD-WRT Bug Hijacks Routers For Malware Extermination

Silicon Valley insiders report New DD-WRT Bug Hijacks Routers For Malware Extermination, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).

Source: https://x.com/BleepinComputer/status/2063626582040686943

When security researchers first noticed a sudden drop in global IoT botnet activity last month, many assumed law enforcement had finally scored a takedown. The reality, internal documents from multiple threat intelligence firms now show, is far stranger. A new self-propagating botnet, tracked as C0XMO, is actively exploiting a critical vulnerability in the DD-WRT open-source router firmware — and then systematically deleting rival malware from infected devices. The botnet's behavior, first publicly documented by security outlet BleepingComputer (@BleepinComputer) on June 7, 2026, represents an unprecedented twist in the cybercrime ecosystem: a piece of malware that kills its competition.

The vulnerability in question, which engineers close to the project say has been known to the DD-WRT development team for at least six months, allows C0XMO to achieve remote code execution on devices running unpatched builds of the popular third-party router OS. Once inside, the botnet drops a payload designed to scan the device for other malicious processes — including strains of Mirai, Mozi, and the recently resurgent FBot — and terminates them. The rollout has been anything but smooth for defenders, however. Because DD-WRT is community-maintained and runs on hundreds of consumer and small-office router models, patches have been slow to propagate. Devices from Linksys, Netgear, and Asus that have not been updated since late 2025 remain widely exposed.

What makes C0XMO particularly alarming is its motive. Unlike vigilante malware of the past — such as the infamous BrickerBot, which aimed to permanently disable insecure devices — C0XMO appears designed to carve out a clean, monopolistic foothold for its unknown operators. By eradicating rival botnets, it ensures that all compromised bandwidth, processing power, and memory on a device belong solely to C0XMO's command-and-control infrastructure. This consolidation creates a leaner, more resilient network for conducting DDoS attacks, cryptocurrency mining, or credential theft.

To date, the botnet is estimated to have infected tens of thousands of routers globally, with the highest concentrations in North America and Southeast Asia. Researchers are still working to identify the operators behind C0XMO; no group has claimed responsibility. What remains uncertain is whether the DD-WRT project will issue an urgent security advisory or if the burden will fall entirely on end users to flash clean firmware. For anyone still running an unpatched DD-WRT router in 2026, the message from the threat intelligence community is blunt: disconnect it now.

Source: https://x.com/BleepinComputer/status/2063626582040686943