RondoDox Botnet’s Expansive Exploit Arsenal and IP Tactics

RondoDox Botnet’s Expansive Exploit Arsenal and IP Tactics

Posted on By CWS

A newly identified cyber threat, the RondoDox botnet, has emerged as a significant concern in recent months. It has combined a vast array of vulnerabilities with strategic use of residential internet infrastructure to create a formidable threat landscape.

Rapid Growth and Operational Scale

Initially discovered in May 2025, RondoDox quickly escalated its activities, with security honeypots recording substantial traffic generated by the botnet. It is now capable of executing up to 15,000 exploitation attempts daily, showcasing both technical skill and operational discipline by its operators.

RondoDox’s foundation is the open-source Mirai botnet, which has been adapted by various threat actors. Unlike Mirai, which also scans for new targets, RondoDox exclusively focuses on denial-of-service (DoS) attacks. It supports 174 different vulnerabilities, a significant expansion beyond typical botnet capabilities.

Infrastructure and Exploit Arsenal

The botnet’s ability to target a wide range of devices is evident through its support for 18 system architectures, including x86_64, ARM, MIPS, and PowerPC. This adaptability allows it to compromise diverse internet-connected hardware.

Research by Bitsight revealed that RondoDox exploits 174 vulnerabilities, with 148 linked to known CVEs, and others supported by public proofs of concept. The botnet operators quickly incorporate newly disclosed vulnerabilities, as demonstrated by the rapid exploitation of CVE-2025-62593.

Strategic Use of Residential IPs

A remarkable aspect of RondoDox is its use of compromised residential IP addresses to host malware. Bitsight’s analysis tracked 32 IPs, split evenly between exploitation and hosting, with the latter mainly associated with ordinary ISPs in countries like the US, Canada, and China.

Compromised devices, such as smart home systems and Android TV servers, unknowingly serve as part of the botnet’s infrastructure. The hosting servers employ tactics to evade detection, including blacklisting mechanisms that display decoy content to analysts.

Implications and Defense Strategies

RondoDox’s rapid adoption of vulnerabilities and use of residential IPs highlights the need for robust cybersecurity measures. Organizations should regularly update devices exposed to the internet, disable unnecessary remote access, and monitor network activity for suspicious behavior using published indicators of compromise.

For ongoing updates and insights, follow us on Google News and LinkedIn.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Microsoft Teams New feature Allows Users to Flag Malicious Calls Microsoft Teams New feature Allows Users to Flag Malicious Calls Cyber Security News
Microsoft Exchange Online Outage for Users Accessing Email via Exchange Online Methods Microsoft Exchange Online Outage for Users Accessing Email via Exchange Online Methods Cyber Security News
Hackers Use AI Platforms to Steal Microsoft 365 Credentials in Phishing Campaign Hackers Use AI Platforms to Steal Microsoft 365 Credentials in Phishing Campaign Cyber Security News
New ZipLine Campaign Attacks Critical Manufacturing Companies to Deploy In-memory Malware MixShell New ZipLine Campaign Attacks Critical Manufacturing Companies to Deploy In-memory Malware MixShell Cyber Security News
IBM AIX Vulnerabilities Let Remote Attacker Execute Arbitrary Commands IBM AIX Vulnerabilities Let Remote Attacker Execute Arbitrary Commands Cyber Security News
Threat Actors Leveraging Dynamic DNS Providers to Use for Malicious Purposes Threat Actors Leveraging Dynamic DNS Providers to Use for Malicious Purposes Cyber Security News