A newly active botnet dubbed RondoDox has launched a sweeping campaign exploiting 56 known vulnerabilities across at least 30 major tech vendors, infecting routers, DVRs, CCTV systems, and web servers.
According to Trend Micro’s Zero Day Initiative (ZDI), the attackers deployed an “exploit shotgun” approach—firing at everything in sight—to compromise internet-facing devices and load them with Mirai-based malware, enabling remote control and massive DDoS attacks.
Targets Include Leading Tech Vendors
The campaign has reportedly affected products from Cisco, D-Link, Netgear, Linksys, Apache, AVTECH, and Brickcom.
Among the exploited vulnerabilities are CVE-2024-3721, a command injection flaw in TBK DVR devices, and CVE-2024-12856, a critical bug in Four-Faith industrial routers.
These vulnerabilities allow attackers to execute arbitrary commands remotely, enabling complete takeover of targeted systems.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
A Multi-Architecture Malware Strategy
ZDI’s senior researcher Peter Girnus revealed that RondoDox used multi-architecture payloads designed to infect a wide range of Linux-based systems.
The attacks began on September 22, peaked on September 23, and continued through September 24 before going silent—indicating what experts describe as a “smash-and-grab” operation.
While the total number of infected devices remains unknown, researchers believe “any consumer product with internet access was likely targeted.”
Rise of Loader-as-a-Service Distribution
Adding to concerns, the campaign is reportedly supported by a loader-as-a-service (LaaS) model that distributes RondoDox, Mirai, and Morte (a Mirai variant) payloads together.
This infrastructure allows cybercriminals to purchase and deploy malware loaders at scale, amplifying their reach and speed.
Cybersecurity firm CloudSEK confirmed a 230% surge in such botnet activity between July and August 2025, warning that this marks a new frontier in automated malware deployment.
Global Security Implications
The RondoDox campaign highlights growing risks from IoT and network device vulnerabilities that remain unpatched.
Experts warn that organizations failing to update their firmware or secure remote access could become easy prey for botnets capable of crippling global infrastructure.
ZDI stated that it continues to track RondoDox’s activity and related exploits, emphasizing the need for immediate vendor patching and network isolation measures.
