174 Vulnerabilities Targeted by RondoDox Botnet
The RondoDox botnet has significantly expanded its exploitation capabilities to target 174 vulnerabilities, up from 56 in October, and shifted from indiscriminate 'shotgun' attacks to a more targeted approach. The botnet peaks at 15,000 exploitation attempts per day, with operators closely monitoring vulnerability disclosures and exploiting bugs before CVEs are assigned. RondoDox primarily targets weak credentials and unsanitized inputs, focusing on launching DDoS attacks rather than propagating like traditional botnets such as Mirai.
Summary
The RondoDox botnet has significantly expanded its exploitation capabilities to target 174 vulnerabilities, up from 56 in October, and shifted from indiscriminate 'shotgun' attacks to a more targeted approach. The botnet peaks at 15,000 exploitation attempts per day, with operators closely monitoring vulnerability disclosures and exploiting bugs before CVEs are assigned. RondoDox primarily targets weak credentials and unsanitized inputs, focusing on launching DDoS attacks rather than propagating like traditional botnets such as Mirai.
Full text
The RondoDox botnet’s developers have significantly increased their exploit list and are taking a more targeted approach to exploitation, Bitsight reports. Initially detailed in the second half of last year, RondoDox has been active since at least March 2025, when security researchers observed the first exploitation attempts associated with it. Since April 2025, the botnet’s operators engaged in systematic vulnerability scanning, mostly taking a ‘shotgun’ approach to compromising devices. By October, it was targeting 56 vulnerabilities, including flaws without a CVE assigned, and in December, it was seen targeting React2Shell. Now, Bitsight says the botnet’s exploit list has been expanded to 174 different vulnerabilities, as its developers are closely following vulnerability disclosures, targeting bugs before CVEs are assigned. Furthermore, RondoDox has shifted its exploitation strategy to a more targeted approach. Instead of throwing multiple exploits at the same device, in the shotgun method observed before, they are now focusing on specific flaws that are more likely to lead to infections.Advertisement. Scroll to continue reading. RondoDox, which shares numerous commonalities with Mirai, is also known for targeting weak credentials and unsanitized input for initial access. What sets it apart from Mirai is its focus on launching distributed denial-of-service (DDoS) attacks instead of scanning and infecting additional devices. To expand the botnet, RondoDox’s operators scan the internet for vulnerable devices using their own infrastructure, and then proceed to deploy implants that evade detection, remove other malware, find a suitable directory to drop the main binary into, and execute it. Bitsight’s investigation into the botnet revealed the use of over two dozen IP addresses for device exploitation, payload distribution, and bot management, including residential IPs that likely belong to compromised systems. RondoDox’s operators are constantly adding and removing vulnerabilities from their exploit list and have been observed using as many as 49 bugs in a single day. Most of the bugs, however, are dropped immediately. “When examining how often each vulnerability was used, a clear long-tail trend emerges. While the average vulnerability was used for 18 days, nearly half of the 174 vulnerabilities identified (84, or 48%) were exploited for just a single day. This suggests that they try vulnerabilities and act based on the success rate of each,” Bitsight notes. According to the cybersecurity firm, the botnet’s operators appear to be closely looking at publications related to vulnerabilities, as in at least one case, they exploited the security defect two days before the public disclosure. Although they stay up to date with new flaws, the botnet’s operators fail to properly implement the available exploits for them, Bitsight says. The cybersecurity firm also notes that the botnet does not appear to use a loader-as-a-service for distribution and that previous reports of P2P functionality in RondoDox do not appear to be accurate. Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire ForceMemo: Python Repositories Compromised in GlassWorm AftermathCritical HPE AOS-CX Vulnerability Allows Admin Password ResetsBold Security Emerges From Stealth With $40 Million in FundingGoogle Paid Out $17 Million in Bug Bounty Rewards in 2025Onyx Security Launches With $40 Million in FundingChrome 146 Update Patches Two Exploited Zero-DaysAlly WordPress Plugin Flaw Exposes Over 200,000 Websites to AttacksSplunk, Zoom Patch Severe Vulnerabilities Latest News Google, Meta, Microsoft Among Signatories of Pact to Combat ScamsTracebit Raises $20M for Cloud-Native Deception TechnologyCISA Flags Year-Old Wing FTP Vulnerability as ExploitedAI, APIs and DDoS Collide in New Era of Coordinated CyberattacksOracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactSecurity Firm Executive Targeted in Sophisticated Phishing AttackChina-Linked Hackers Hit Asian Militaries in Patient Espionage OperationThreat Actor Targeting VPN Users in New Credential Theft Campaign Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MovePalo Alto Networks has named Danielle Gonzalez as its new Chief People Officer.SonicWall has appointed Patrick O’Donnell as its new Chief Revenue Officer.The US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — RondoDox
- malware — React2Shell