CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. In late September, a 230% surge in the botnet's attacks was reported, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs. The infected devices are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Timeline

  1. 09.10.2025 20:17 4 articles · 5d ago

    RondoDox botnet targets 56 n-day vulnerabilities in global attacks

    The botnet began activities in May 2025. The botnet exploits 50 command injection flaws out of the 56 vulnerabilities. The botnet's impact scale is potentially quite large, though not yet fully known. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices. The botnet's tactics are opportunistic and unfocused, spreading across wide geographic regions without bias. The botnet was first documented by Fortinet FortiGuard Labs in July 2025. The botnet's expanded arsenal of exploits includes nearly five dozen security flaws, out of which 18 don't have a CVE identifier assigned. The botnet exploits include vulnerabilities in D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco. The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation. The campaign is evolving beyond single-device opportunism into a multivector loader operation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ArcaneDoor Campaign Exploits Cisco Zero-Day Vulnerabilities

A threat cluster dubbed ArcaneDoor has been exploiting two zero-day vulnerabilities in Cisco firewalls to deliver previously undocumented malware families, RayInitiator and LINE VIPER. These vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow attackers to bypass authentication and execute malicious code on susceptible appliances. The campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849). The malware families represent a significant evolution in sophistication and evasion capabilities compared to previous campaigns. The attacks have been ongoing since at least September 2025, targeting organizations in various sectors. The exploitation of these vulnerabilities underscores the need for immediate patching and enhanced security measures for Cisco firewalls.

Open in new tab

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.

Open in new tab

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

The Gentlemen ransomware gang is using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware was first observed this summer. The Gentlemens have been exploiting vulnerable, Internet-facing infrastructure and VPNs in their attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. Organizations are advised to implement zero-trust controls and monitor for unusual process combinations to defend against these attacks.

Open in new tab

IoT Security Progress and Challenges Over the Past Five Years

The security of Internet of Things (IoT) devices has not kept pace with their rapid adoption across industries. Despite some legislative progress and increased awareness, IoT devices remain vulnerable due to weak default passwords, lack of patching mechanisms, and inadequate security practices by manufacturers. Attackers are exploiting these vulnerabilities for various malicious activities, including botnets, ransomware, and espionage. The Mirai botnet incident in 2016 highlighted the risks, leading to new regulations like the UK's Product Security and Telecoms Infrastructure Act and the EU's Cyber Resilience Act. However, the evolving threat landscape and the influx of new IoT devices pose ongoing challenges for security. Manufacturers face the dilemma of balancing security with user experience, and many are reluctant to implement stricter security measures due to competitive pressures.

Open in new tab

TP-Link Router Vulnerabilities Actively Exploited in the Wild

Two security flaws in TP-Link routers are being actively exploited. The vulnerabilities affect multiple router models, including the TL-WR841N and Archer C7. The flaws allow for authentication bypass and remote code execution, respectively. Affected models have reached end-of-life status, and users are advised to upgrade to newer hardware. The exploits are linked to the Quad7 botnet and a China-linked threat actor, Storm-0940. Federal agencies must apply mitigations by September 24, 2025. The vulnerabilities are CVE-2023-50224 and CVE-2025-9377. TP-Link has released firmware updates to address these issues. The affected routers have reached end-of-service status, and users are advised to upgrade to newer hardware for enhanced protection.

Open in new tab