Fast Facts
- A new botnet, RondoDox, utilizes over 50 exploits across 30+ vendors, targeting routers, DVRs, and network devices to conduct DDoS, cryptomining, and hacking activities.
- It exploits multiple CVEs, including critical command injection vulnerabilities, with some added to CISA’s KEV list, emphasizing urgent patching needs.
- RondoDox broadens its reach by using loader-as-a-service infrastructure, distributing alongside Mirai and Morte payloads to evade detection.
- The campaign demonstrates a persistent threat to internet-exposed infrastructure, employing sophisticated methods like traffic impersonation and rapid infrastructure rotation.
The Issue
A new and aggressive botnet named RondoDox emerged in mid-2025, employing a wide-ranging “shotgun” strategy that exploits over 50 vulnerabilities in various network devices—including routers, DVRs, CCTV systems, and web servers from more than 30 different vendors. Its initial activity centered on exploiting a command injection flaw in TP-Link routers (CVE-2023-1389), disclosed at a 2022 hacking contest, but it quickly expanded its targeting to other critical vulnerabilities such as those in TBK DVRs and Four-Faith routers, including high-severity issues identified by recent CVEs. RondoDox’s operators have demonstrated sophistication in covering their tracks by rapidly changing infrastructure, deploying malware alongside other well-known payloads like Mirai and Morte, and utilizing a loader-as-a-service setup—making detection and mitigation increasingly difficult.
The FBI- and cyber security firm CloudSek have reported a significant escalation in attacks—over 230% since mid-2025—primarily driven by exploiting weak credentials, unsanitized inputs, and outdated vulnerabilities. The infected devices are exploited for malicious activities like cryptocurrency mining, launching distributed denial-of-service (DDoS) attacks, and infiltrating enterprise networks. This widespread and varied attack surface highlights the urgent need for organizations to patch vulnerabilities and tighten security, especially given RondoDox’s ability to conceal malicious traffic by mimicking gaming platforms or VPN services. The report emphasizes not only the threat posed by this evolving botnet but also the persistent risks faced by internet-connected infrastructure that remains inadequately protected.
Risks Involved
The emergence of the RondoDox botnet in mid-2025 highlights a escalating cyber threat landscape characterized by a ‘shotgun’ approach, exploiting over 50 vulnerabilities across more than 30 vendors’ devices—including routers, DVRs, and web servers—through command injection flaws and legacy CVEs. This widespread infection, driven by weak credentials and outdated vulnerabilities, facilitates malicious activities such as cryptocurrency mining, DDoS assaults, and enterprise network breaches. Its rapid infrastructure rotation and deployment of co-packaged Mirai and Morte payloads exacerbate detection challenges, while its ability to target ARM, MIPS, and Linux architectures via sophisticated obfuscation tactics underscores critical vulnerabilities in organizations’ internet-facing assets. The unchecked proliferation of such threats underscores the urgent necessity for rigorous patching, advanced security controls, and proactive monitoring to mitigate pervasive risks arising from unpatched, exposed network infrastructure.
Possible Next Steps
Addressing the threat posed by the RondoDox botnet’s exploit shotgun approach is crucial, as delays in remediation can lead to widespread data breaches, financial loss, and damaged reputations, emphasizing the need for swift and effective response strategies.
Mitigation Steps
Monitoring Traffic
Implement real-time network monitoring to detect unusual activity indicative of RondoDox’s exploits.
Identify Infections
Use updated antivirus and anti-malware tools to scan and identify infected systems quickly.
Patch Vulnerabilities
Apply the latest security patches and updates to close known vulnerabilities exploited by RondoDox.
Isolate Systems
Immediately quarantine compromised machines to prevent further propagation of the malware.
Disable Malicious Processes
Terminate suspicious processes and remove malicious files identified during scans.
User Awareness
Educate staff on recognizing phishing attempts and suspicious activity to prevent initial infection.
Change Credentials
Reset passwords and implement multi-factor authentication to protect sensitive accounts.
Deploy Security Tools
Utilize intrusion detection and prevention systems tailored to recognize RondoDox’s signatures.
Collaboration & Reporting
Coordinate with cybersecurity authorities for threat intelligence sharing and reporting incidents.
Timely action across these measures significantly reduces the risk of extensive damage and helps safeguard organizational assets against this opportunistic threat.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
