RondoDox Botnet Exploits 174 Critical Vulnerabilities in Global Networks
RondoDox Botnet Undergoes Significant Changes in Tactics and Techniques
A recently analyzed botnet, known as RondoDox, has undergone significant changes in its tactics and techniques, expanding its list of targeted vulnerabilities to 174.
Initial Discovery and Evolution
Initially discovered in March 2025, RondoDox was observed using a “shotgun” approach to compromise devices, throwing multiple exploits at a single target. However, its operators have since shifted to a more targeted strategy, focusing on specific vulnerabilities that are more likely to lead to successful infections.
Expanded Exploit List
RondoDox’s exploit list has been expanded to include a wide range of vulnerabilities, many of which do not have a CVE assigned. The botnet’s operators closely follow vulnerability disclosures, often targeting bugs before a CVE is assigned.
This approach allows them to stay ahead of potential patches and exploit vulnerabilities before they can be fixed.
Techniques and Tactics
The botnet’s operators use a combination of techniques to gain initial access to devices, including targeting weak credentials and unsanitized input. Once inside, they deploy implants that evade detection, remove other malware, and execute the main binary.
RondoDox is also known for launching distributed denial-of-service (DDoS) attacks, rather than scanning and infecting additional devices.
Investigation and Analysis
An investigation into the botnet revealed the use of over two dozen IP addresses for device exploitation, payload distribution, and bot management. These IP addresses include residential IPs that likely belong to compromised systems.
RondoDox’s operators constantly add and remove vulnerabilities from their exploit list, often using as many as 49 bugs in a single day.
Analysis of the botnet’s activity reveals a “long-tail” trend, where most vulnerabilities are used for a short period, with nearly half of the 174 identified vulnerabilities being exploited for just a single day.
This suggests that the botnet’s operators try vulnerabilities and adjust their strategy based on the success rate of each.
Notable Instance and Conclusion
In one notable instance, RondoDox’s operators exploited a security defect just two days before public disclosure.
Despite staying up to date with new flaws, the botnet’s operators often fail to properly implement available exploits.
The botnet does not appear to use a loader-as-a-service for distribution, and previous reports of P2P functionality in RondoDox do not appear to be accurate.
RondoDox shares some commonalities with the Mirai botnet, but its focus on launching DDoS attacks sets it apart.
Its operators’ ability to adapt and evolve their tactics makes it a significant threat to organizations, highlighting the need for robust vulnerability management and security measures.
About Author
English