"Now, Bitsight says the botnet's exploit list has been expanded to 174 different vulnerabilities, as its developers are closely following vulnerability disclosures, targeting bugs before CVEs are assigned. Furthermore, RondoDox has shifted its exploitation strategy to a more targeted approach. Instead of throwing multiple exploits at the same device, in the shotgun method observed before, they are now focusing on specific flaws that are more likely to lead to infections."
"RondoDox, which shares numerous commonalities with Mirai, is also known for targeting weak credentials and unsanitized input for initial access. What sets it apart from Mirai is its focus on launching distributed denial-of-service (DDoS) attacks instead of scanning and infecting additional devices."
"To expand the botnet, RondoDox's operators scan the internet for vulnerable devices using their own infrastructure, and then proceed to deploy implants that evade detection, remove other malware, find a suitable directory to drop the main binary into, and execute it."
RondoDox, a botnet active since March 2025, has significantly evolved its attack capabilities. Initially employing a shotgun approach to vulnerability scanning, the botnet now targets 174 different vulnerabilities with a more selective strategy. Its operators closely monitor vulnerability disclosures and exploit flaws before CVEs are assigned. RondoDox shares similarities with Mirai but focuses on launching DDoS attacks rather than spreading infections. The botnet uses weak credentials and unsanitized input for initial access, deploys detection-evading implants, and removes competing malware. Operators utilize over two dozen IP addresses for exploitation, payload distribution, and bot management, including compromised residential systems.
#rondodox-botnet #vulnerability-exploitation #ddos-attacks #malware-evolution #cybersecurity-threats
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]