Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors.
The activity, described as akin to an “exploit shotgun” approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices, according to Trend Micro.
The cybersecurity company said it detected a RondoDox intrusion attempt on June 15, 2025, when the attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has come under active exploitation repeatedly since it was first disclosed in late 2022.
RondoDox was first documented by Fortinet FortiGuard Labs back in July 2025, detailing attacks aimed at TBK digital video recorders (DVRs) and Four-Faith routers to enlist them in a botnet for carrying out distributed denial-of-service (DDoS) attacks against specific targets using HTTP, UDP, and TCP protocols.
“More recently, RondoDox broadened its distribution by using a ‘loader-as-a-service’ infrastructure that co-packages RondoDox with Mirai/Morte payloads – making detection and remediation more urgent,” Trend Micro said.
RondoDox’s expanded arsenal of exploits includes nearly five dozen security flaws, out of which 18 don’t have a CVE identifier assigned. The 56 vulnerabilities span various vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.
“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation,” the company added. “It’s a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operation.”
Late last month, CloudSEK revealed details of a large-scale loader-as-a-Service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps by weaponizing weak credentials, unsanitized inputs, and old CVEs.
The development comes as security journalist Brian Krebs noted that the DDoS botnet known as AISURU is “drawing a majority of its firepower” from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon. One of the botnet’s operators, Forky, is alleged to be based in Sao Paulo, Brazil, and is also linked to a DDoS mitigation service called Botshield.
In recent months, AISURU has emerged as one of the largest and most disruptive botnets, responsible for some of the record-setting DDoS attacks seen to date. Built on the foundations of Mirai, the botnet controls an estimated 300,000 compromised hosts worldwide.
The findings also follow the discovery of a coordinated botnet operation involving over 100,000 unique IP addresses from no…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
