Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

RondoDox Botnet's Strategic Shift: A Detailed Analysis of Its Exploit Campaign



RondoDox botnet expands arsenal targeting 174 flaws, and hits 15,000 daily exploit attempts in a more focused and strategic campaign. This latest development marks a significant shift in RondoDox's tactics, as evident from the timeline of events that unfolded since the botnet's inception. Learn more about this recent finding and its implications for cybersecurity.

  • RondoDox botnet has increased its attacks targeting 174 vulnerabilities with 15,000 daily exploit attempts.
  • The botnet's tactics have shifted from a broad approach to focusing on fewer, more effective exploits.
  • RondoDox first spotted in June 2025 exploiting CVE-2023-1389 in TP-Link routers.
  • Botnet grew in October with 56 known flaws exploited across over 30 device types.
  • Researchers warn of critical React2Shell flaw (CVE-2025-55182) being used by the botnet since December.
  • Analysis shows nearly half of the 174 flaws were used only once, indicating rapid testing and selection.



    • RondoDox, a notorious botnet known for its cunning and adaptability, has recently made headlines once again. According to recent findings published by the security firm Bitsight, RondoDox has ramped up its attacks, targeting 174 vulnerabilities with an astonishing 15,000 daily exploit attempts in a more focused and strategic campaign.

    This latest development marks a significant shift in RondoDox's tactics, as evident from the timeline of events that unfolded since the botnet's inception. Trend Micro first spotted the RondoDox activity on June 15, 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routers, a flaw first shown at Pwn2Own 2023 and still popular with botnets.

    In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection. The botnet's growth was evident in October when Trend Micro reported that RondoDox was exploiting 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.

    In December, CloudSEK researchers warned that the RondoDox botnet is exploiting the critical React2Shell flaw (CVE-2025-55182) to drop malware and cryptominers on vulnerable Next.js servers. The operators of the botnet have been known for their ability to quickly adopt newly disclosed vulnerabilities, often within weeks, and in one case even before official publication, thanks to early PoC availability.

    The analysis conducted by Bitsight reveals that nearly half of the 174 flaws were used only once, indicating rapid testing and selection. The researchers noted that the activity came in waves: broad testing phases followed by periods where selected vulnerabilities were used longer, with a shift in late 2025 toward keeping effective exploits active. One of the most significant changes observed was in early January 2026, where the number of observed vulnerabilities dropped from around 40 to only two.

    The two remaining vulnerabilities are CVE-2023-46604 and CVE-2025-55182, aka React2Shell. While CVE-2023-46604 may not be particularly interesting on its own, the latter is a critical vulnerability that was disclosed on December 3, 2025, and added by the threat actors on December 6, 2025. This swift adoption of newly disclosed vulnerabilities underscores the botnet's ability to stay ahead of security researchers and exploit their work.

    The rise of RondoDox serves as a stark reminder of the ever-evolving nature of cyber threats. As new vulnerabilities are discovered and exploited, attackers continually adapt and refine their tactics to evade detection. The botnet's strategic shift towards focusing on fewer, more effective exploits suggests that it may be shifting towards a more targeted approach, making it essential for security researchers and organizations to stay vigilant and proactive in addressing emerging threats.

    In conclusion, RondoDox's recent campaign highlights the importance of continuous monitoring and analysis of exploit activity. As attackers continue to adapt and refine their tactics, it is crucial for security professionals to remain aware of emerging vulnerabilities and exploits, and to develop strategies to mitigate the impact of these attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/RondoDox-Botnets-Strategic-Shift-A-Detailed-Analysis-of-Its-Exploit-Campaign-ehn.shtml

  • https://securityaffairs.com/189569/malware/rondodox-botnet-expands-arsenal-targeting-174-flaws-and-hits-15000-daily-exploit-attempts.html

  • https://thehackernews.com/2025/10/researchers-warn-rondodox-botnet-is.html

  • https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis

  • https://nvd.nist.gov/vuln/detail/CVE-2023-1389

  • https://www.cvedetails.com/cve/CVE-2023-1389/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-3721

  • https://www.cvedetails.com/cve/CVE-2024-3721/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-12856

  • https://www.cvedetails.com/cve/CVE-2024-12856/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55182

  • https://www.cvedetails.com/cve/CVE-2025-55182/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-46604

  • https://www.cvedetails.com/cve/CVE-2023-46604/

  • https://attack.mitre.org/groups/G0007/

  • https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps

  • https://en.wikipedia.org/wiki/Lazarus_Group

  • https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks

  • https://cybersecuritynews.com/rondodox-botnet-updated-their-arsenal/


    • Published: Tue Mar 17 11:13:05 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us