RondoDox Botnet’s Expansive Exploit Arsenal and IP Tactics

RondoDox Botnet’s Expansive Exploit Arsenal and IP Tactics

Posted on By CWS

A newly identified cyber threat, the RondoDox botnet, has emerged as a significant concern in recent months. It has combined a vast array of vulnerabilities with strategic use of residential internet infrastructure to create a formidable threat landscape.

Rapid Growth and Operational Scale

Initially discovered in May 2025, RondoDox quickly escalated its activities, with security honeypots recording substantial traffic generated by the botnet. It is now capable of executing up to 15,000 exploitation attempts daily, showcasing both technical skill and operational discipline by its operators.

RondoDox’s foundation is the open-source Mirai botnet, which has been adapted by various threat actors. Unlike Mirai, which also scans for new targets, RondoDox exclusively focuses on denial-of-service (DoS) attacks. It supports 174 different vulnerabilities, a significant expansion beyond typical botnet capabilities.

Infrastructure and Exploit Arsenal

The botnet’s ability to target a wide range of devices is evident through its support for 18 system architectures, including x86_64, ARM, MIPS, and PowerPC. This adaptability allows it to compromise diverse internet-connected hardware.

Research by Bitsight revealed that RondoDox exploits 174 vulnerabilities, with 148 linked to known CVEs, and others supported by public proofs of concept. The botnet operators quickly incorporate newly disclosed vulnerabilities, as demonstrated by the rapid exploitation of CVE-2025-62593.

Strategic Use of Residential IPs

A remarkable aspect of RondoDox is its use of compromised residential IP addresses to host malware. Bitsight’s analysis tracked 32 IPs, split evenly between exploitation and hosting, with the latter mainly associated with ordinary ISPs in countries like the US, Canada, and China.

Compromised devices, such as smart home systems and Android TV servers, unknowingly serve as part of the botnet’s infrastructure. The hosting servers employ tactics to evade detection, including blacklisting mechanisms that display decoy content to analysts.

Implications and Defense Strategies

RondoDox’s rapid adoption of vulnerabilities and use of residential IPs highlights the need for robust cybersecurity measures. Organizations should regularly update devices exposed to the internet, disable unnecessary remote access, and monitor network activity for suspicious behavior using published indicators of compromise.

For ongoing updates and insights, follow us on Google News and LinkedIn.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Let’s Encrypt has made 6-day IP-based TLS certificates Generally Available Let’s Encrypt has made 6-day IP-based TLS certificates Generally Available Cyber Security News
Malicious Chrome Extension Steal ChatGPT and DeepSeek Conversations from 900K Users Malicious Chrome Extension Steal ChatGPT and DeepSeek Conversations from 900K Users Cyber Security News
Mustang Panda Attacking Windows Users With ToneShell Malware Mimic as Google Chrome Mustang Panda Attacking Windows Users With ToneShell Malware Mimic as Google Chrome Cyber Security News
Node.js-Powered LTX Stealer Targets User Credentials Node.js-Powered LTX Stealer Targets User Credentials Cyber Security News
CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild CISA Warns of Cisco Firewall 0-Day Vulnerabilities Actively Exploited in the Wild Cyber Security News
Scaly Wolf Attacking Organizations to Uncover Organizations’ Secrets Scaly Wolf Attacking Organizations to Uncover Organizations’ Secrets Cyber Security News