RondoDox

RondoDox is a Linux-based botnet and threat actor first identified in mid-2025, commonly described as a Mirai variant. It primarily targets IoT devices, consumer edge devices, routers, NAS devices, cameras, DVRs, gateways, web servers, and other Linux-based systems, with activity focused on mass exploitation of exposed and often end-of-life technology. Reporting describes it as using an "exploit shotgun" approach, leveraging numerous known vulnerabilities across embedded devices and web applications, including exploitation tied to CVE-2025-55182 (React2Shell), CVE-2025-24893 (XWiki), CVE-2025-37164 (HPE OneView), CVE-2018-5999 (ASUS routers), CVE-2023-1389, CVE-2024-10914, CVE-2024-3721, CVE-2025-34043, CVE-2025-4008, and ShellShock (CVE-2014-6271). It has also been associated with exploitation of dozens of additional CVEs affecting routers, DVRs, NVRs, CCTV systems, and web applications such as WordPress, Drupal, Struts2, WebLogic, ThinkPHP, PHPUnit, and PHP-CGI. Observed tradecraft includes broad scanning, multi-stage attack chains, chaining vulnerabilities, rapid weaponization of newly disclosed flaws, and use of compromised residential IP addresses as distribution or hosting infrastructure. Delivery commonly uses first-stage shell scripts named in the pattern rondo.XXX.sh, which download architecture-specific second-stage binaries named rondo for multiple CPU architectures. The first-stage scripts have been reported to disable SELinux and AppArmor, remount filesystems read-write, clear caches and shell history, create marker files such as .t in writable directories, remove prior infections and competing malware, and execute downloaded payloads using fallback methods such as wget, curl, busybox, tftp, and ftp. Reporting also notes persistence via cron jobs, aggressive process killing of non-whitelisted processes, and frequent removal of rival malware to monopolize infected hosts. RondoDox activity has been linked to distributed denial-of-service attacks, cryptocurrency mining, credential theft, and botnet enrollment. Some reporting states its sole purpose is DDoS, while other reporting explicitly attributes DDoS, credential theft, and cryptomining to the botnet; all of these uses are directly mentioned in the source content. Additional payloads observed in campaigns attributed to RondoDox include cryptominers, a botnet loader and health-check component, and Mirai-based botnet variants. Trend Micro reporting in the provided content states RondoDox also acts as a loader for the Mirai and Morte IoT malware families. Campaigns attributed to RondoDox include persistent exploitation of Next.js/React Server Components via React2Shell beginning in December 2025, exploitation of ASUS router flaw CVE-2018-5999 observed from May 17, 2026, exploitation of HPE OneView CVE-2025-37164 in large-scale automated attacks on January 7, 2026, and exploitation of XWiki CVE-2025-24893. Sector targeting mentioned in the content includes government, financial services, and industrial manufacturing in the HPE OneView campaign. Geographic observations in the content include significant activity affecting the United States, Germany, France, India, Australia, and Austria. Known aliases and naming variants directly mentioned in the content include RondoDox and RondoDoX. Indicators and signature strings mentioned in reporting include the recurring email bang2012@tutanota.de in shell scripts, comment/signature markers such as rondo2012@atomicmail.io, and a User-Agent string Mozilla/5.0 (rondo2012@atomicmall.to).