RondoDox botnet shotgun exploit activity across network devices
Malware Activity
Summary
Hide ▲
Show ▼
The RondoDox botnet is escalating a “shotgun” exploit operation against routers, DVRs, NVRs, CCTV systems, web servers, and other network gear, raising the risk of mass compromise. It now targets 56 vulnerabilities across more than 30 vendors, including CVE-2023-1389, CVE-2024-3721, and CVE-2024-12856. Compromised devices are being used for cryptocurrency mining, DDoS attacks, and enterprise network intrusion, while payloads are being co-packaged with Mirai/Morte to improve evasion.
Related Happenings
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score31
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
China-nexus hijacked-device proxy network campaign
Campaign
H score39
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
H score56
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
H score55
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score43
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Timeline
-
10.10.2025 15:06 2 articles · 8mo ago
RondoDox botnet shotgun exploit activity across network devices
Initial DisclosureRondoDox first appeared in **mid-2025** as a botnet exploiting **CVE-2023-1389** on TP-Link Archer AX21 routers. It then moved to additional router and DVR flaws before broadening into a much wider device set.
Show sources
- RondoDox Botnet Takes ‘Exploit Shotgun’ Approach — www.securityweek.com — 10.10.2025 15:06
- RondoDox Botnet Takes ‘Exploit Shotgun’ Approach — www.securityweek.com — 10.10.2025 15:06