Rondo

rondo, also referred to in the provided content as the RondoDox botnet, is a threat actor/botnet observed conducting multi-phase exploitation activity. The content describes it as more sophisticated than typical commodity botnet noise, using fileless exploitation, rotating command-and-control or staging infrastructure, and appearing to operate through compromised residential routers. Activity was observed as early as May 2 and unfolded in three phases. In Phase 1, RondoDox used source IP 124.198.131.185 and staging server 45.92.1.50 while targeting enterprise and AI-related services. The content states it attempted exploitation of Log4Shell (CVE-2021-44228) and used obfuscated payloads in the User-Agent and multiple HTTP headers as a header-spray technique. It also targeted the /api/jobs/ endpoint in attacks associated with ShadowRay, identified in the content as CVE-2023-48022. In Phase 2, it retained the same source IP but shifted staging infrastructure to 204.10.194.134 between May 16 and May 17. During this phase, it targeted consumer-router vulnerabilities including LB-LINK command injection at /goform/set_LimitClient_cfg (CVE-2023-26801) and ASUS AsusWRT NVRAM manipulation via /vpnupload.cgi (CVE-2018-6000). In Phase 3, the source IP changed from 124.198.131.185 to 124.198.131.22, which the source assessed as a DHCP lease change within the same residential IP pool in Auckland, New Zealand. Separately, VulnCheck observed CVE-2023-7305, a SmartBI RMIServlet unrestricted file upload vulnerability that can lead to RCE, being targeted by the Rondo botnet. Based strictly on the provided content, known alias: RondoDox.