Fortinet has uncovered a new botnet called C0XMO, built from the long-running Gafgyt malware family, that breaks into devices by exploiting an old flaw (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. A booby-trapped network request gives the attacker code execution with no login needed. Once in, C0XMO digs in with hidden files and cron jobs that re-run it every 15 minutes, then hunts down and deletes rival botnets and even researchers' security tools to keep the device to itself. A separate scanner spreads it across many chip types (ARM, MIPS, x86, and more), and infected devices are wired up to launch 19 kinds of denial-of-service floods.
Akamai's Security Intelligence and Response Team caught a Mirai variant actively exploiting CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers, roughly one year after the vulnerability was publicly disclosed and its proof-of-concept exploit posted to GitHub (and later removed). The flaw lives in the sub_42232C function of the router firmware, where an attacker-controlled macaddr field is copied into a command buffer via snprintf and passed to system() without validation, enabling remote command execution through a crafted POST to /goform/set_prohibiting. Firmware versions 240126 and 24082 are affected. D-Link retired the DIR-823X line in 2025, so there is no vendor patch and no vendor patch coming. The Mirai variant, called 'tuxnokill' by its authors, drops from 88.214.20[.]14 via a simple shell script, supports multiple CPU architectures, uses XOR key 0x30 to obfuscate strings, and phones home to 64.89.161[.]130 on TCP port 44300. The same operator is chaining D-Link alongside CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, giving them a diverse pool of end-of-life consumer routers to enslave. At the time Akamai reported, CVE-2025-29635 was not yet on the CISA KEV catalog. The lesson: public PoCs against dead hardware do not stay dormant forever, and the 'wait for active exploitation' instinct gives attackers a year's head start.