RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
RondoDox has expanded into a large-scale botnet campaign that targets 174 vulnerabilities across a wide range of internet-exposed devices, with researchers observing up to 15,000 daily exploitation attempts. Reporting based on Bitsight telemetry says the botnet, active since 2025 and built on a Mirai code base, is more focused than typical Mirai-derived operations: it is geared toward denial-of-service activity and supports 18 architectures, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped 148 exploits to CVEs, identified 15 public PoCs without CVEs, and found 11 exploits with no public PoC, indicating active exploit collection and rapid weaponization of newly disclosed flaws.
The campaign has evolved from earlier exploitation of TP-Link Archer AX21 flaw CVE-2023-1389 and later abuse of CVE-2024-3721, CVE-2024-12856, and the React2Shell issue CVE-2025-55182 affecting Next.js servers. Researchers also reported that the operators use residential IP infrastructure and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit CVE-2025-62593 before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Sources
Related Stories
RondoDox Botnet Campaign Exploiting Dozens of N-Day Vulnerabilities in Internet-Exposed Devices
The RondoDox botnet has emerged as a significant threat, actively targeting a wide array of internet-exposed infrastructure by exploiting over 50 known vulnerabilities, many of which were first disclosed during Pwn2Own hacking competitions. Security researchers from Trend Micro and FortiGuard Labs have observed the botnet leveraging an 'exploit shotgun' approach, simultaneously deploying numerous exploits to maximize infection rates across diverse device types. The campaign has been active globally since at least June 2025, with attacks focusing on routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices from more than 30 vendors. Notably, the botnet exploits both recent and older vulnerabilities, including CVE-2023-1389 in the TP-Link Archer AX21 Wi-Fi router, which was originally demonstrated at Pwn2Own Toronto 2022 and previously targeted by Mirai. The list of exploited vulnerabilities includes CVE-2024-3721, CVE-2024-12856, and many others affecting brands such as Digiever, QNAP, LB-LINK, TRENDnet, D-Link, TBK, Four-Faith, Netgear, AVTECH, TOTOLINK, Tenda, Meteobridge, Edimax, and Linksys. Many of these vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to patch affected systems. Devices that have reached end-of-life are particularly at risk, as they are less likely to receive security updates, making them attractive targets for the botnet operators. The campaign exposes organizations to risks including data exfiltration, persistent network compromise, and operational disruption, especially for those with internet-facing infrastructure. Security experts recommend prioritizing the patching of all listed vulnerabilities, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and continuously monitoring for anomalous device activity. Trend Micro has indicated that its solutions provide protection against the vulnerabilities exploited by RondoDox, offering mitigation while patching is underway. The rapid weaponization of vulnerabilities demonstrated at Pwn2Own highlights the need for organizations to monitor disclosures from such competitions and act swiftly to secure their environments. The RondoDox botnet’s ability to quickly expand its arsenal of exploits demonstrates a high level of adaptability and threat actor sophistication. The campaign’s global reach and the diversity of targeted devices suggest that organizations across multiple sectors are at risk. The use of mass n-day exploitation, rather than relying solely on zero-day vulnerabilities, allows the botnet to compromise a large number of devices that may not be promptly patched. Security researchers emphasize the importance of defense-in-depth strategies to mitigate the impact of such widespread exploitation campaigns. The ongoing activity of RondoDox serves as a stark reminder of the persistent threat posed by botnets leveraging known vulnerabilities in widely deployed network devices.
5 months agoShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named **ShadowV2** was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (`binary.sh`) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions. The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as `CVE-2024-10914` and `CVE-2024-10915`, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
3 months agoBroadside Mirai Botnet Targets TBK DVRs in Maritime Logistics
A new Mirai botnet variant known as **Broadside** has been identified targeting vulnerable *TBK Vision* digital video recorders (DVRs) used extensively in the maritime logistics sector. Researchers from Cydome discovered that Broadside exploits the command injection vulnerability `CVE-2024-3721` in TBK DVR-4104 and DVR-4216 devices, allowing attackers to hijack these systems. The botnet employs advanced techniques such as a custom C2 protocol, a unique Magic Header, and a process-killer module to maintain persistence and evade detection. In addition to supporting UDP-based DDoS attacks, Broadside is capable of stealing sensitive files like `/etc/passwd` and `/etc/shadow`, enabling privilege escalation and lateral movement within compromised networks. The maritime sector is particularly vulnerable due to widespread use of legacy, unpatched systems and a general lack of onboard cybersecurity personnel or monitoring. The Broadside campaign has been active for months, with fluctuating activity observed by researchers. Attackers leverage a mass loader to execute multi-architecture payloads in memory and wipe traces, making detection and remediation challenging. The ongoing exploitation of `CVE-2024-3721` by Broadside and other botnets highlights the urgent need for improved security practices and patch management in maritime environments to prevent further compromise and disruption.
3 months ago