Hot radar note: BleepingComputer reported C0XMO botnet activity against DD-WRT routers within the last 12 hours. Omellody classifies it as S-level because router compromise can affect every device on a home or office network.
What happened
BleepingComputer reported on June 7, 2026 that the C0XMO botnet is spreading through a DD-WRT router flaw and killing rival malware on infected devices. That combination makes the story unusually urgent for ordinary households and small offices: the target is not a single laptop, but the network device every phone, laptop, camera, printer, and smart TV depends on.
Router botnets are dangerous because they hide in infrastructure people rarely inspect. A compromised router can relay traffic, change DNS settings, proxy abuse, interfere with security updates, and expose every connected device to suspicious redirects. Even when the first visible symptom is slow internet, the hidden problem can be credential theft, malicious advertising, or participation in attacks against other networks.
Omellody classifies this as S-level because it combines a current exploit report, consumer-facing router firmware, botnet spread, and active malware competition. That is exactly the type of event where readers need a practical protection guide rather than a pure news summary.
Who is at risk
The highest-risk group is anyone running DD-WRT builds that have not been updated or that expose management services to the internet. Small businesses, home labs, remote workers, and privacy-conscious users often install custom router firmware for flexibility, but custom firmware still needs the same discipline as any other internet-facing system: updates, configuration review, and minimal exposure.
Households can be affected even if they never log in to the router after setup. Old passwords, default admin panels, UPnP rules, port forwards, stale VPN services, and forgotten test configurations all widen the attack surface. If you bought a used router or inherited a preconfigured device, assume you need to audit it from scratch.
Immediate checklist
- Confirm your router model, firmware version, and whether it runs DD-WRT.
- Update to a current trusted firmware build from the official project or vendor source.
- Disable remote administration unless you have a specific, locked-down need.
- Change the router administrator password and remove unknown admin accounts.
- Review DNS servers, port forwards, UPnP rules, VPN services, and startup scripts.
- Reboot after patching, then monitor for unusual bandwidth, DNS errors, or repeated crashes.
- Scan computers and phones for fake update downloads or phishing pages reached during the compromise window.
If you suspect compromise, export only the settings you understand, factory reset, install clean firmware, and rebuild the configuration manually. Restoring a full old backup can reintroduce malicious scripts or unsafe rules.
How to reduce follow-up damage
Router compromise often becomes a second-wave problem. Attackers can use poisoned DNS to send users to fake bank logins, fake antivirus downloads, fake password manager pages, or counterfeit software updates. That is why endpoint protection and password hygiene still matter even though antivirus does not clean the router itself.
Use a password manager to rotate accounts that were entered during suspicious redirect windows. Prioritize email, bank, payment, work, cloud storage, and router/VPN credentials. Enable MFA that uses authenticator apps or hardware keys where possible. If a family member installed a fake “router fix” or “firmware updater,” treat that device as potentially infected and scan it before changing passwords.
Signs your router may need deeper inspection
Most router infections do not announce themselves with a dramatic warning screen. The signs are usually indirect: devices load search results through unfamiliar domains, browsers complain about certificate errors, DNS settings change after reboot, smart-home devices go offline, video calls become unstable, or the router admin page shows logins you do not recognize. Some households notice higher upload traffic at night or warnings from streaming services and banking sites that the connection looks unusual.
Do not assume every slowdown means botnet infection, but do treat unexplained router changes seriously. Check the WAN IP, DNS servers, firewall rules, port forwards, DHCP leases, and startup commands. If DD-WRT shows custom scripts you did not create, unknown SSH keys, unfamiliar scheduled jobs, or services listening on the internet side, move to a clean rebuild rather than trying to delete one suspicious line at a time. A clean rebuild means downloading firmware from a trusted source, verifying you are on the correct model page, resetting configuration, and rebuilding only required settings.
Small-office playbook
Small offices should treat router incidents as business continuity events. The router may be the path to point-of-sale systems, file shares, VoIP phones, cameras, guest Wi-Fi, remote desktops, and cloud admin panels. Assign one owner for the incident, document the router model and firmware version, photograph critical settings before changing them, and record the time of each reboot or configuration change. That timeline helps if you later need to explain downtime to a vendor, insurer, or customer.
After patching, segment guest Wi-Fi from work devices, disable unused services, and require unique administrator passwords stored in a shared business password manager. If remote administration is necessary, put it behind a VPN and restrict it by account and source IP where possible. Finally, schedule a monthly firmware check. Router security fails when it becomes invisible; a recurring reminder is cheaper than emergency cleanup.
Recommended protection stack
| Product | Rating | Best for | Price | Strengths |
|---|---|---|---|---|
| Bitdefender Total Security | 4.8/5 | malware, phishing, and ransomware blocking | From about $39.99/year promo pricing | Excellent malware and ransomware defense; Strong malicious-site filtering |
| Norton 360 Deluxe | 4.7/5 | families that want antivirus, VPN, backup, and identity extras | From about $49.99/year promo pricing | Broad all-in-one security suite; Useful dark-web monitoring and backup |
| Malwarebytes Premium | 4.5/5 | cleanup after suspicious downloads and exploit attempts | From about $44.99/year | Simple remediation workflow; Strong browser and scam blocking |
| 1Password | 4.8/5 | rotating reused passwords after a breach or scam | From $2.99/month billed annually | Excellent vault design; Watchtower alerts for weak or reused passwords |
| NordVPN | 4.7/5 | privacy on public Wi-Fi and malicious-domain filtering | From about $3-$5/month on long-term plans | Fast network and Threat Protection features; Strong apps across major platforms |
Bitdefender Total Security
Best for malware, phishing, and ransomware blockingA practical layer in a post-incident protection stack when phishing, fake updates, stolen passwords, or malicious downloads follow a breaking security story.
✅ Pros
- Excellent malware and ransomware defense
- Strong malicious-site filtering
❌ Cons
- Unlimited VPN costs extra
- Renewal pricing can rise
Price: From about $39.99/year promo pricing Rating: 4.8/5
Norton 360 Deluxe
Best for families that want antivirus, VPN, backup, and identity extrasA practical layer in a post-incident protection stack when phishing, fake updates, stolen passwords, or malicious downloads follow a breaking security story.
✅ Pros
- Broad all-in-one security suite
- Useful dark-web monitoring and backup
❌ Cons
- Interface includes upsells
- Full identity protection costs more
Price: From about $49.99/year promo pricing Rating: 4.7/5
Malwarebytes Premium
Best for cleanup after suspicious downloads and exploit attemptsA practical layer in a post-incident protection stack when phishing, fake updates, stolen passwords, or malicious downloads follow a breaking security story.
✅ Pros
- Simple remediation workflow
- Strong browser and scam blocking
❌ Cons
- Fewer suite extras
- Family controls are limited
Price: From about $44.99/year Rating: 4.5/5
1Password
Best for rotating reused passwords after a breach or scamA practical layer in a post-incident protection stack when phishing, fake updates, stolen passwords, or malicious downloads follow a breaking security story.
✅ Pros
- Excellent vault design
- Watchtower alerts for weak or reused passwords
❌ Cons
- Not antivirus
- No permanent full-featured free tier
Price: From $2.99/month billed annually Rating: 4.8/5
NordVPN
Best for privacy on public Wi-Fi and malicious-domain filteringA practical layer in a post-incident protection stack when phishing, fake updates, stolen passwords, or malicious downloads follow a breaking security story.
✅ Pros
- Fast network and Threat Protection features
- Strong apps across major platforms
❌ Cons
- Best price needs long commitment
- VPN does not remove malware
Price: From about $3-$5/month on long-term plans Rating: 4.7/5
FAQ
Is C0XMO only a DD-WRT problem?
The confirmed report centers on DD-WRT router exploitation, but the practical lesson applies to any exposed or outdated router firmware: patch quickly, disable unnecessary remote administration, and watch for unusual DNS, bandwidth, or device behavior.
Will antivirus remove malware from a router?
No. Antivirus protects computers and phones from follow-up malware and phishing, but router cleanup usually requires firmware updates, credential resets, configuration review, and sometimes a factory reset.
Should I replace an old router after a botnet report?
Replace it if the vendor no longer ships security updates, if you cannot confirm firmware integrity, or if the admin interface remains exposed to the internet. Supported firmware is a security requirement, not a luxury.
Does a VPN stop router botnets?
A VPN protects traffic privacy for devices using it, but it does not patch the router or stop malware already running on the router. Fix firmware, admin exposure, passwords, and DNS settings first.
What is the fastest home response?
Update router firmware, turn off remote admin, change the router admin password, reboot, review DNS and port-forwarding settings, then scan household devices for malware or phishing fallout.
Bottom line
Patch the router first, then harden credentials and devices so one exploited firmware flaw does not become credential theft, malware installation, or account takeover.