Fortinet has uncovered a new botnet called C0XMO, built from the long-running Gafgyt malware family, that breaks into devices by exploiting an old flaw (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. A booby-trapped network request gives the attacker code execution with no login needed. Once in, C0XMO digs in with hidden files and cron jobs that re-run it every 15 minutes, then hunts down and deletes rival botnets and even researchers' security tools to keep the device to itself. A separate scanner spreads it across many chip types (ARM, MIPS, x86, and more), and infected devices are wired up to launch 19 kinds of denial-of-service floods.