Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors

Steven

Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors

Summary

Security researchers have observed the RondoDox malware campaign expanding into a broad, automated exploitation operation that weaponises more than 50 vulnerabilities across over 30 vendors. Trend Micro describes the activity as an “exploit shotgun” aimed at internet-exposed infrastructure — routers, DVRs/NVRs, CCTV devices, web servers and other networked kit — to build botnet armies for DDoS and other payloads.

RondoDox was detected exploiting TP-Link’s CVE-2023-1389 and was first documented by Fortinet in July 2025 targeting TBK DVRs and Four-Faith routers. The campaign now uses a loader-as-a-service model that co-delivers RondoDox with Mirai/Morte payloads, increasing propagation speed and operational scale. Trend Micro notes 56 vulnerabilities in the current arsenal, 18 of which lack CVE identifiers, affecting vendors such as D-Link, NETGEAR, QNAP, Cisco, Zyxel and many more.

Key Points

  • RondoDox has broadened to weaponise ~56 vulnerabilities across 30+ vendors, with 18 flaws lacking CVE IDs.
  • Targets include routers, DVRs/NVRs, CCTV systems, web servers and other internet-exposed devices.
  • Attackers are using a loader-as-a-service model that bundles RondoDox with Mirai and Morte, raising infection rates and complicating detection.
  • Trend Micro observed an intrusion attempt on 15 June 2025 exploiting CVE-2023-1389 in TP-Link Archer devices.
  • The campaign is multivector and automated — described as evolving from opportunistic single-device compromise to centralised, multi-payload operations.
  • Large-scale botnet activity (e.g. AISURU) and coordinated RDP attack waves highlight the broader trend of IoT and SOHO devices fuelling record DDoS capacity.
  • Traffic linked to recent waves originates largely from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador and others.
  • Immediate mitigations include patching, disabling exposed services, changing default credentials and network segmentation.

Context and Relevance

This development sits squarely within a growing trend: botnets moving from single-exploit campaigns to scalable, modular distribution systems (loader-as-a-service) that pair multiple payloads. That makes containment harder — a single compromise can yield a variety of threats at once (DDoS, crypto abuse, further lateral spread).

For network owners, MSPs and security teams this is a timely reminder that legacy devices, unpatched firmwares and default credentials remain primary attack vectors. The RondoDox expansion also underscores how IoT and consumer-grade routers contribute disproportionately to the global DDoS ecosystem, feeding larger botnets like AISURU and Mirai variants.

Why should I read this?

Short version: it’s a tidy wake-up call. If you run networks, manage IoT or secure endpoints, this article tells you where the shockwaves are coming from — an expanding, fast-moving botnet that bundles multiple malware families. Patch, lock down defaults and watch exposed services now, not later.

Source

Source: https://thehackernews.com/2025/10/researchers-warn-rondodox-botnet-is.html