RondoDox botnet mass exploitation of 56 n-day flaws
Malware Activity
Summary
Hide ▲
Show ▼
The RondoDox botnet is carrying out a mass n-day exploitation run against more than 50 vulnerabilities across over 30 vendors and internet-exposed devices. It uses a noisy “exploit shotgun” approach against routers, DVRs, NVRs, CCTV systems, web servers, and related network devices, and Trend Micro observed the campaign on June 15, 2025 exploiting CVE-2023-1389 on TP-Link Archer routers. The activity now also uses a loader-as-a-service setup that bundles Mirai/Morte payloads, making detection and remediation more urgent.
Related Happenings
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
First: 06.05.2026 23:21
Last: 06.05.2026 23:21
Sources 1
About this happening:
The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware ActivityAbout this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Timeline
-
09.10.2025 20:17 4 articles · 7mo ago
RondoDox botnet mass exploitation of 56 n-day flaws
Initial DisclosureThe initial phase is a **noisy, broad attack run** against exposed devices using many exploits in parallel. It began **in June 2025** and centers on quickly weaponized **n-day vulnerabilities** in DVRs, NVRs, CCTV systems, and related internet-facing gear.
Show sources
- RondoDox botnet targets 56 n-day flaws in worldwide attacks — www.bleepingcomputer.com — 09.10.2025 20:17
- RondoDox botnet targets 56 n-day flaws in worldwide attacks — www.bleepingcomputer.com — 09.10.2025 20:17
- RondoDox Botnet: an 'Exploit Shotgun' for Edge Vulns — www.darkreading.com — 10.10.2025 22:22
- Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors — thehackernews.com — 13.10.2025 13:12