Executive Summary
RondoDox is an actively evolving Linux-based botnet that emerged in mid-2025 and has since grown into one of the more aggressive IoT-targeting botnet campaigns since the Mirai Botnet. It is also built upon Mirai by using its source code, which became public following a string of DDoS attacks in 2016. RondoDox distinguishes itself through a systematically expanding exploit arsenal, multi-architecture payload delivery across 18 hardware targets, and deliberate elimination of competing malware on infected hosts.
Between May 2025 and February 2026, the campaign has used around 170 distinct exploits and CVEs, while conducting 15,000 exploitation attempts in a single day at its peak. Over the course of its evolution, the campaign has changed its approach from brute-force of all exploits possible on every device to using highly targeted exploits and CVEs on each device they target.
As of December 2025, the botnet even began using React2Shell (2025-55182) which is a CVSS 10, critical remote code execution vulnerability in Next.JS server components. What is interesting is that the exploit was integrated into the RondoDox botnet attacks just 3 days after it was publicly disclosed, this shows a trend of moving away from using N-day exploits to being proactive and using exploits that have in some cases not even been tagged with a CVE.
A few variants of the dropper scripts used by RondoDox were made available by threat researchers and DFIR analysts on websites like MalwareBazaar and others. These have been analysed as well emulated to get more precise execution logic as well as understand the evasion steps taken by these attacks.
1. Background and Discovery
RondoDox was first detected in honeypot activity in May 2025, with retrospective C2 log analysis confirming reconnaissance operations as early as March 2025. The campaign takes its name from artefacts embedded in the malware; all payloads are named rondo, and the email address rondo2012[@]atomicmail.io is embedded directly in dropper scripts, a notable operational security failure; or a planning setup for the future, however, not used so far.
Why does RondoDox target IoT devices? An estimated 16.6 billion internet connected IoT devices were recorded in 2023, this number is expected to rise above 40 billion before 2030. Quite a large portion of these devices are outdated, end-of-support and sometimes even end-of-life. Poor auditing policy, not changing default credentials, lack of timely updates and upgrades along with little to no oversight in some companies, the IoT devices form the perfect internet enabled nesting space for attackers, they can be harnessed to be used for DDoS attacks, forming a botnet or even just serve as a proxy when targeting other users - this makes the largest unsecured attack surface on the planet. Botnets have been used to convert victim machines into zombie machines for various nefarious purposes for attackers while making it difficult for security teams to trace down their attacker, such a service does not go undervalued by attack groups, hence RondoDox taps into a market with immense potential, possibly already providing such services at a smaller scale.
2. Campaign Timeline
RondoDox evolved through three clearly defined operational phases, followed by a fourth phase marked by significant tactical refinement:
Phase 1: Reconnaissance (March - April 2025)Manual vulnerability scanning targeting enterprise platforms including WebLogic, SQL injection probing, and OS command execution testing.
Phase 2: Automated Web Exploitation (April - June 2025)Daily mass exploitation of web applications including WordPress, Drupal, and Apache Struts2. Concurrent IoT targeting began, focusing on routers and network devices through abused diagnostic command interfaces. Trend Micro recorded the first confirmed RondoDox intrusion on June 15, 2025, via CVE-2023-1389 in TP-Link Archer AX21 routers; a flaw originally demonstrated at Pwn2Own Toronto.
Phase 3: Large-Scale IoT Deployment (July - November 2025)Dedicated RondoDox infrastructure came online. Attack volumes surged over 230% between July and August. Exploitation peaked at 49 distinct vulnerabilities in a single day on October 19, 2025, with daily attempt volumes reaching 15,000. Four distinct C2 IPs were observed across this period.
Phase 4: Targeted Precision Exploitation (December 2025 - Present)The most significant tactical shift observed. Daily active vulnerability count dropped from ~40 to just 2 by January 2026. React2Shell (CVE-2025-55182) was added to the arsenal three days after its December 3, 2025 disclosure. The campaign now operates with hourly automated exploitation waves focused on high-conversion targets.