RondoDox Botnet Firing ‘Exploit Shotgun’: Targets 56 Vulnerabilities Across 30+ Router and IoT Vendors
Researchers have identified a large-scale wave of attacks orchestrated by the RondoDox botnet, which employs the so-called “exploit shotgun” technique—literally “firing at everything that moves.” This method involves automatically testing dozens of exploits in succession, hoping to strike any vulnerable target. As a result, no fewer than 56 vulnerabilities across equipment from more than 30 manufacturers have been targeted, ranging from home routers and video surveillance systems to web servers and industrial controllers.
RondoDox first emerged in mid-2025. Its developers primarily exploit command injection vulnerabilities in devices exposed to the internet. Recently, the botnet has been actively spreading malware across multiple Linux architectures, including variants of Mirai, the notorious codebase that turns everyday devices into instruments of mass DDoS attacks and remote control operations.
According to the Trend Micro Zero Day Initiative (ZDI) team, the current campaign targets a broad range of infrastructure: routers from Cisco, D-Link, Linksys, and Netgear, Apache HTTP web servers, Brickcom IP cameras, and AVTECH CCTV systems. Some of the exploited vulnerabilities were first unveiled during Pwn2Own contests, where researchers demonstrate real-world exploit chains against hardware targets.
ZDI warns that such attacks pose not only a risk of data breaches but also the potential for prolonged, covert control over corporate and institutional networks. Analysts urge users to compare their devices against the updated list of affected vendors and specific CVE identifiers—comprising dozens of entries. Among the most critical are CVE-2024-3721, a severe flaw in TBK DVR recorders that allows remote command execution, and CVE-2024-12856, a similar vulnerability in Four-Faith industrial routers granting attackers arbitrary command execution capabilities.
Both vulnerabilities had previously been linked to RondoDox activity by FortiGuard Labs. The exact scale of the infection remains unknown, but researchers acknowledge that virtually any internet-connected device—especially consumer-grade hardware with minimal protection—could have been compromised. The malicious loader associated with this campaign includes multi-architecture payloads compatible with various Linux distributions, including lightweight IoT platforms.
The attack began on September 22, peaked the following day, and ceased by September 24. Observations indicate a “smash-and-grab” nature—an intense burst of exploitation aimed at compromising as many systems as possible within a short window. Although active traces have since subsided, researchers continue to monitor the botnet’s infrastructure.
The identity of the group behind RondoDox and the precise purpose of the infected devices remain unclear. Nevertheless, analysts note that the botnet is evolving rapidly: in recent weeks it has integrated a loader-as-a-service infrastructure, a subscription-based model that distributes malicious loaders which automatically deploy RondoDox alongside Mirai and Morte variants.
Shortly after the attack’s peak, CloudSEK issued its own advisory, describing a “highly organized” operation utilizing the same distribution model and reporting a 230% surge in activity between July and August. The wave targeted not only household routers but also corporate IoT systems and server-side applications, which serve as gateways for deeper network infiltration.
ZDI continues to monitor ongoing infections and to investigate RondoDox’s potential connections to other botnet networks. One conclusion is clear: even a brief campaign like this underscores the profound vulnerability of devices left unpatched and inadequately secured.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
