Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors.
The activity, described[1] as akin to an “exploit shotgun” approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices, according to Trend Micro.
The cybersecurity company said it detected a RondoDox intrusion attempt on June 15, 2025, when the attackers exploited CVE-2023-1389[2], a security flaw in TP-Link Archer routers that has come under active exploitation[3] repeatedly since it was first disclosed in late 2022.
RondoDox was first documented[4] by Fortinet FortiGuard Labs back in July 2025, detailing attacks aimed at TBK digital video recorders (DVRs) and Four-Faith routers to enlist them in a botnet for carrying out distributed denial-of-service (DDoS) attacks against specific targets using HTTP, UDP, and TCP protocols.
“More recently, RondoDox broadened its distribution by using a ‘loader-as-a-service’ infrastructure that co-packages RondoDox with Mirai/Morte payloads – making detection and remediation more urgent,” Trend Micro said.
RondoDox’s expanded arsenal of exploits includes nearly five dozen security flaws, out of which 18 don’t have a CVE identifier assigned. The 56 vulnerabilities span various vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.
“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation,” the company added. “It’s a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operation.”
Late last month, CloudSEK revealed[5] details of a large-scale loader-as-a-Service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps by weaponizing weak credentials, unsanitized inputs, and old CVEs.
The development comes as security journalist Brian Krebs noted[6] that the DDoS botnet known as AISURU[7] is “drawing a majority of its firepower” from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon. One of the botnet’s operators, Forky, is alleged to be based in Sao Paulo, Brazil,[8] and is also linked to a DDoS mitigation service called Botshield.
In recent months, AISURU has emerged as one of the largest and most disruptive botnets, responsible for some of the record-setting DDoS attacks seen to date. Built on the foundations of Mirai, the botnet controls an estimated 300,000 compromised hosts worldwide.
The findings also follow the discovery of a coordinated botnet operation involving over 100,000 unique IP addresses from no less than 100 countries targeting Remote Desktop Protocol (RDP) services in the U.S., per GreyNoise.
The activity is said to have commenced on October 8, 2025, with the majority of the traffic originating from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and others.
“The campaign employs two specific attack vectors – RD Web Access timing attacks[9] and RDP web client login enumeration[10] – with most participating IPs sharing one similar TCP fingerprint, indicating centralized control,” the threat intelligence firm said[11].
References
- ^ described (www.trendmicro.com)
- ^ CVE-2023-1389 (thehackernews.com)
- ^ come under active exploitation (thehackernews.com)
- ^ first documented (thehackernews.com)
- ^ revealed (thehackernews.com)
- ^ noted (krebsonsecurity.com)
- ^ AISURU (thehackernews.com)
- ^ based in Sao Paulo, Brazil, (krebsonsecurity.com)
- ^ RD Web Access timing attacks (viz.greynoise.io)
- ^ RDP web client login enumeration (viz.greynoise.io)
- ^ said (www.greynoise.io)