SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefMonday, June 08, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY C0XMO Botnet Targets Vulnerable DD-WRT Routers | CRITICAL |
|
5 C2 IPs | 62 OTX IOCs | 5 ARTICLES |
|
■ ANALYST TLDR The newly discovered C0XMO botnet, a Gafgyt variant, is actively exploiting DD-WRT router firmware to compromise network devices across multiple CPU architectures. Concurrently, the Silent Ransom Group is executing highly effective social engineering campaigns targeting U.S. law firms via fake IT support calls to steal sensitive data. Organizations must prioritize securing edge devices and raising employee awareness against vishing tactics. |
|
■ CRITICAL STORIES C0XMO botnet spreads via DD-WRT router flaw, kills rival malware This Gafgyt-derived botnet actively targets edge routers to build a cross-architecture DDoS network while actively eliminating competing malware on compromised devices. |
Silent Ransom Group targets law firms with fake IT support calls This extortion group uses highly convincing vishing attacks to gain initial access to law firms and professional services, resulting in rapid data exfiltration and ransom demands. |
Hands on with Intelligent Terminal, an AI-powered Windows Terminal Microsoft's new open-source fork introduces integrated AI capabilities directly into the terminal environment, which security teams must monitor for potential data leakage or prompt injection risks. |
|
■ CVEs IDENTIFIED [CVE-TBD] DD-WRT Router Firmware — Remote Code Execution / Device Compromise |
|
■ THREAT ACTORS C0XMO Botnet (Gafgyt variant) | Botnet / Malware |
Exploiting DD-WRT routers and terminating rival malware |
Silent Ransom Group | Cybercrime / Extortion Group |
Targeting U.S. law firms with fake IT support vishing calls |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | C0XMO botnet exploiting DD-WRT router vulnerabilities |
| T1566.004 | | Phishing: Voice | Silent Ransom Group using fake IT support calls (vishing) for initial access |
| T1048 | | Exfiltration Over Alternative Protocol | Silent Ransom Group exfiltrating data within hours of contact |
| T1489 | | Service Stop | C0XMO botnet killing rival malware processes on compromised routers |
|
■ PATCH PRIORITY DD-WRT Router Firmware — Active exploitation by C0XMO botnet leading to device compromise — BleepingComputer |
Microsoft Windows Terminal / Intelligent Terminal — New AI-enabled fork requires evaluation for data loss prevention (DLP) controls — BleepingComputer |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Audit and patch all edge devices running DD-WRT Router Firmware to mitigate the [CVE-TBD] vulnerability exploited by the C0XMO botnet. |
| 2 | [P1] Implement strict verification protocols for internal IT support calls to defend against Silent Ransom Group's vishing campaigns targeting law firms. |
| 3 | [P2] Monitor and restrict the installation of unauthorized terminal software, specifically Microsoft's new Intelligent Terminal fork, to prevent unmonitored AI interactions. |
| 4 | [P2] Deploy endpoint detection and response (EDR) rules to identify rapid data exfiltration patterns associated with Silent Ransom Group activity. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |