"The activity, described as akin to an "exploit shotgun" approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices, according to Trend Micro. The cybersecurity company said it detected a RondoDox intrusion attempt on June 15, 2025, when the attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has come under active exploitation repeatedly since it was first disclosed in late 2022."
"RondoDox's expanded arsenal of exploits includes nearly five dozen security flaws, out of which 18 don't have a CVE identifier assigned. The 56 vulnerabilities span various vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco."
"More recently, RondoDox broadened its distribution by using a 'loader-as-a-service' infrastructure that co-packages RondoDox with Mirai/Morte payloads - making detection and remediation more urgent,"
Malware campaigns distributing RondoDox have expanded targeting to exploit more than 50 vulnerabilities across over 30 vendors. The activity uses an 'exploit shotgun' approach against internet-exposed infrastructure including routers, DVRs, NVRs, CCTV systems, web servers, and other network devices. Trend Micro detected a RondoDox intrusion attempt on June 15, 2025 exploiting CVE-2023-1389 in TP-Link Archer routers. RondoDox was originally observed recruiting TBK DVRs and Four-Faith routers to build a DDoS botnet using HTTP, UDP, and TCP. The campaign now leverages a loader-as-a-service that co-packages RondoDox with Mirai/Morte payloads. The expanded exploit list covers 56 vulnerabilities, 18 without CVE identifiers.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]