A newly identified botnet takes a ‘shotgun’ approach to compromising devices, packing over 50 exploits targeting routers, servers, cameras, and other network products, Trend Micro reports.
Dubbed RondoDox, the botnet began activities in mid-2025 and was associated with the exploitation of CVE-2023-1389, a command injection flaw in the WAN interface of TP-Link Archer AX21 routers that was disclosed at the Pwn2Own Toronto hacking contest in 2022.
In June, RondoDox was seen targeting CVE-2024-3721 and CVE-2024-12856, two high-severity weaknesses in TBK DVRs and Four-Faith routers, and then significantly expanding its target list.
According to Trend Micro, the botnet is now targeting routers, DVRs, NVRs, CCTV systems, web servers, and other networking equipment from more than 30 vendors.
RondoDox targets a total of 56 vulnerabilities, including 18 that do not have a CVE identifier assigned. Most of these are command injection bugs and a subset of them was added to the US cybersecurity agency CISA’s KEV list, which underlines the immediate need for patching.
In late September, CloudSek warned of a 230% surge in the botnet’s attacks since mid-2025, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs.
The infected devices, the cybersecurity firm pointed out, are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks.
RondoDox’s operators were seen rapidly rotating infrastructure to evade detection, and RondoDox binaries were seen being distributed alongside Mirai and Morte payloads.
“More recently, RondoDox broadened its distribution by using a ‘loader-as-a-service’ infrastructure that co-packages RondoDox with Mirai/Morte payloads — making detection and remediation more urgent,” Trend Micro says.
RondoDox targets ARM, MIPS, and various Linux architectures. It can launch DDoS attacks using HTTP, UDP, and TCP packets and emulates known gaming platforms or impersonates VPN services to hide the malicious traffic and evade detection.
“The campaign’s shotgun approach of targeting more than 50 vulnerabilities across over 30 vendors underscores the persistent risks facing organizations that maintain internet-exposed network infrastructure without adequate security controls,” Trend Micro notes.
Related: Exposed Docker APIs Likely Exploited to Build Botnet
Related: RapperBot Botnet Disrupted, American Administrator Indicted
Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches
Related: GPT-5 Has a Vulnerability: Its Router Can Send You to Older, Less Safe Models
