The malware campaign distributing the RondoDox botnet has expanded its reach, exploiting more than 50 vulnerabilities across more than 30 vendors.
Trend Micro said the campaign resembles an “exploit shotgun” approach, targeting a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices.
The cybersecurity company announced that it detected a RondoDox intrusion attempt on June 15, 2025. In doing so, the attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has been actively exploited repeatedly since it was first disclosed in late 2022.
RondoDox was first documented by Fortinet FortiGuard Labs in July 2025, detailing an attack that enlisted TBK digital video recorders (DVRs) and Four-Faith routers into a botnet and aimed to perform distributed denial of service (DDoS) attacks against specific targets using HTTP, UDP, and TCP protocols.
“More recently, RondoDox expanded its distribution by using a ‘loader-as-a-service’ infrastructure that co-packages RondoDox and Mirai/Morte payloads, making detection and remediation more urgent,” Trend Micro said.
RondoDox’s expanded exploit includes nearly 50 security flaws, 18 of which do not have a CVE identifier assigned. The 56 vulnerabilities span a variety of vendors including D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nextxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, and more. Zyxel, Hytec Inter, Belkin, Billion, Cisco.
“The latest RondoDox botnet campaign represents a major evolution in automated network exploitation,” the company added. “This is a clear sign that campaigns are evolving beyond single-device opportunism to multi-vector loader operations.”
Late last month, CloudSEK revealed details of a large-scale loader-as-a-service botnet that was armed with weak credentials, unsanitized input, and outdated CVEs to distribute RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps.
The development comes after security journalist Brian Krebs noted that the DDoS botnet known as AISURU “draws the majority of its attack power” from compromised IoT devices hosted on US internet providers such as AT&T, Comcast, and Verizon. One of the botnet operators, Forky, is said to be based in São Paulo, Brazil, and is also involved in a DDoS mitigation service called Botshield.
In recent months, AISURU has emerged as one of the largest and most destructive botnets, responsible for some of the record-breaking DDoS attacks ever seen. Built on Mirai’s foundation, the botnet controls an estimated 300,000 compromised hosts worldwide.
According to GreyNoise, the findings also follow the discovery of a coordinated botnet operation involving more than 100,000 unique IP addresses from more than 100 countries that targeted remote desktop protocol (RDP) services in the United States.
The activity is said to have started on October 8, 2025, with the majority of the traffic originating from countries such as Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador.
“Two specific attack vectors were used in this campaign: RD web access timing attacks and RDP web client login enumeration, with most of the participating IPs sharing one similar TCP fingerprint, indicating centralized control,” the threat intelligence firm said.
Source link
