RondoDox edge and web exploitation

The **RondoDox** botnet campaign has expanded into **multivector exploitation** and **loader-as-a-service** distribution, widening risk to **internet-exposed infrastructure** across **30+ vendors** and **50+ vulnerabilities**. The broadened reach makes exposed routers, DVRs, NVRs, CCTV systems, web servers, and other network devices more likely to be enrolled into the botnet. A detected use of **CVE-2023-1389** on **TP-Link Archer routers** shows the operation is actively abusing public-facing flaws. The added **Mirai/Morte** payload chain increases detection and remediation pressure.

The **RondoDox botnet** is exploiting **CVE-2025-55182 (React2Shell)** to compromise **Next.js servers**, turning exposed systems into malware hosts and expanding botnet reach. Activity escalated in **December 2025** after scanning began on **December 8** and payload deployment followed **three days later**. The infection chain includes a **coinminer**, a **botnet loader/health checker**, and a **Mirai** variant, which increases persistence and abuse potential. The scale is significant because more than **94,000 internet-exposed assets** were reported vulnerable to React2Shell.

**RondoDox** is broadening its **edge-device exploitation** wave, with Trend Micro reporting an **exploit shotgun** approach against **more than 50 vulnerabilities** across **over 30 vendors**. The campaign has targeted **routers**, **DVRs**, **NVRs**, **CCTV systems**, **web servers**, and other **internet-exposed network devices**, and Trend Micro observed an intrusion attempt on **June 15, 2025** exploiting **CVE-2023-1389** on **TP-Link Archer routers**. The activity has also expanded through a **loader-as-a-service** setup that co-packages **RondoDox** with **Mirai/Morte** payloads, increasing the urgency of detection and remediation.