Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

RondoDox Botnet: A Multivector Loader Operation Exploiting Over 50 Vulnerabilities Across 30+ Vendors


RondoDox Botnet: A Multivector Loader Operation Exploiting Over 50 Vulnerabilities Across 30+ Vendors

  • The RondoDox botnet has expanded its distribution using a "loader-as-a-service" infrastructure.
  • The botnet is exploiting nearly five dozen security flaws across 30 vendors, including many without CVE identifiers.
  • The campaign targets various internet-exposed devices, including routers, DVRs, and web servers.
  • Security experts warn of the dangers of loader-as-a-service botnets due to their ability to exploit multiple vulnerabilities.
  • The RondoDox botnet represents a significant evolution in automated network exploitation, highlighting the need for comprehensive cybersecurity strategies.



  • The cybersecurity landscape has recently witnessed a significant escalation in the threat profile of RondoDox, a botnet that has been making headlines for its extensive exploitation of vulnerabilities across multiple vendors. According to recent reports from Trend Micro, the RondoDox botnet has expanded its distribution by using a "loader-as-a-service" infrastructure that co-packages RondoDox with Mirai/Morte payloads. This development marks a substantial evolution in automated network exploitation, indicating a shift beyond single-device opportunism into a multivector loader operation.

    The campaign, which began on June 15, 2025, has targeted a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices. The attackers have employed nearly five dozen security flaws, out of which 18 don't have a CVE identifier assigned. The 56 vulnerabilities span across over 30 vendors, including D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

    Trend Micro's detection of the RondoDox intrusion attempt on June 15, 2025, highlighted the security flaw in TP-Link Archer routers that has come under active exploitation repeatedly since it was first disclosed in late 2022. The discovery of this campaign comes as security journalist Brian Krebs noted that the DDoS botnet known as AISURU is "drawing a majority of its firepower" from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon.

    CloudSEK revealed details of a large-scale loader-as-a-service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps by weaponizing weak credentials, unsanitized inputs, and old CVEs. This development comes as security experts have been warning about the dangers of loader-as-a-service botnets, which can exploit multiple vulnerabilities across various vendors to carry out complex attacks.

    The RondoDox botnet campaign represents a significant evolution in automated network exploitation, indicating a shift beyond single-device opportunism into a multivector loader operation. The fact that attackers are employing nearly five dozen security flaws, out of which 18 don't have a CVE identifier assigned, highlights the breadth of vulnerabilities being exploited. This campaign serves as a stark reminder of the importance of staying up-to-date with the latest security patches and the need for robust cybersecurity measures to protect against such multivector attacks.

    Furthermore, this campaign is a significant evolution in automated network exploitation, indicating a shift beyond single-device opportunism into a multivector loader operation. The attackers' use of a "loader-as-a-service" infrastructure to co-package RondoDox with Mirai/Morte payloads signifies a sophisticated level of threat actor sophistication and underscores the need for organizations to adopt comprehensive cybersecurity strategies that account for these types of threats.

    In recent months, AISURU has emerged as one of the largest and most disruptive botnets, responsible for some of the record-setting DDoS attacks seen to date. Built on the foundations of Mirai, the botnet controls an estimated 300,000 compromised hosts worldwide. The findings also follow the discovery of a coordinated botnet operation involving over 100,000 unique IP addresses from no less than 100 countries targeting Remote Desktop Protocol (RDP) services in the U.S., per GreyNoise.

    In conclusion, the RondoDox botnet represents a significant evolution in automated network exploitation, highlighting the need for organizations to adopt comprehensive cybersecurity strategies that account for multivector threats. The extensive exploitation of vulnerabilities across multiple vendors underscores the importance of staying up-to-date with the latest security patches and the need for robust cybersecurity measures to protect against such multivector attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/RondoDox-Botnet-A-Multivector-Loader-Operation-Exploiting-Over-50-Vulnerabilities-Across-30-Vendors-ehn.shtml

  • https://thehackernews.com/2025/10/researchers-warn-rondodox-botnet-is.html


  • Published: Thu Oct 16 18:13:29 2025 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us