The RondoDox botnet has significantly broadened its scope, now exploiting more than 50 vulnerabilities across over 30 different vendors. This aggressive expansion targets a diverse array of internet-exposed devices, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices. Trend Micro describes this approach as an exploit shotgun, indicating a widespread and indiscriminate attack strategy.
On June 15, 2025, Trend Micro detected an intrusion attempt by RondoDox, where attackers exploited CVE-2023-1389—a known security flaw in TP-Link Archer routers. This vulnerability has been actively exploited since its disclosure in late 2022. Initially documented by Fortinet FortiGuard Labs in July 2025, RondoDox was observed targeting TBK DVRs and Four-Faith routers to enlist them into a botnet for executing distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols.
Recently, RondoDox has expanded its distribution methods by utilizing a loader-as-a-service infrastructure. This system co-packages RondoDox with other malware payloads like Mirai and Morte, complicating detection and remediation efforts. The botnet’s arsenal now includes nearly 56 security flaws, 18 of which lack assigned CVE identifiers. These vulnerabilities span a wide range of vendors, including D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.
Trend Micro emphasizes that this evolution signifies a shift from targeting individual devices to a more complex, multivector loader operation. This development underscores the increasing sophistication of automated network exploitation campaigns.
In late September, CloudSEK reported on a large-scale loader-as-a-service botnet distributing RondoDox, Mirai, and Morte payloads. This botnet exploits weak credentials, unsanitized inputs, and outdated vulnerabilities in small office/home office (SOHO) routers, Internet of Things (IoT) devices, and enterprise applications.
Concurrently, security journalist Brian Krebs highlighted that the DDoS botnet known as AISURU is leveraging compromised IoT devices from U.S. internet providers like AT&T, Comcast, and Verizon. AISURU, built on the Mirai framework, controls approximately 300,000 compromised hosts worldwide and has been responsible for some of the largest DDoS attacks to date.
Additionally, GreyNoise identified a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the U.S. This campaign, which began on October 8, 2025, employs attack vectors such as RD Web Access timing attacks and RDP web client login enumeration, with most participating IPs sharing a similar TCP fingerprint, indicating centralized control.
These developments highlight the escalating complexity and scale of botnet operations, emphasizing the need for robust cybersecurity measures to protect vulnerable devices and networks.
