RondoDox botnet mass exploitation of 56 n-day flaws
Malware Activity
Summary
Hide ▲
Show ▼
The RondoDox botnet is carrying out a mass n-day exploitation run against more than 50 vulnerabilities across over 30 vendors and internet-exposed devices. It uses a noisy “exploit shotgun” approach against routers, DVRs, NVRs, CCTV systems, web servers, and related network devices, and Trend Micro observed the campaign on June 15, 2025 exploiting CVE-2023-1389 on TP-Link Archer routers. The activity now also uses a loader-as-a-service setup that bundles Mirai/Morte payloads, making detection and remediation more urgent.
Related Happenings
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
H score22
First: 06.05.2026 23:21
Last: 06.05.2026 23:21
Sources 1
About this happening:
The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware ActivityAbout this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
China-nexus hijacked-device proxy network campaign
Campaign
H score43
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
H score40
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
H score38
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
H score1
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Timeline
-
09.10.2025 20:17 4 articles · 9mo ago
RondoDox botnet mass exploitation of 56 n-day flaws
Initial DisclosureThe initial phase is a **noisy, broad attack run** against exposed devices using many exploits in parallel. It began **in June 2025** and centers on quickly weaponized **n-day vulnerabilities** in DVRs, NVRs, CCTV systems, and related internet-facing gear.
Show sources
- RondoDox botnet targets 56 n-day flaws in worldwide attacks — www.bleepingcomputer.com — 09.10.2025 20:17
- RondoDox botnet targets 56 n-day flaws in worldwide attacks — www.bleepingcomputer.com — 09.10.2025 20:17
- RondoDox Botnet: an 'Exploit Shotgun' for Edge Vulns — www.darkreading.com — 10.10.2025 22:22
- Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors — thehackernews.com — 13.10.2025 13:12