RondoDox edge-device exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
RondoDox is broadening its edge-device exploitation wave, with Trend Micro reporting an exploit shotgun approach against more than 50 vulnerabilities across over 30 vendors. The campaign has targeted routers, DVRs, NVRs, CCTV systems, web servers, and other internet-exposed network devices, and Trend Micro observed an intrusion attempt on June 15, 2025 exploiting CVE-2023-1389 on TP-Link Archer routers. The activity has also expanded through a loader-as-a-service setup that co-packages RondoDox with Mirai/Morte payloads, increasing the urgency of detection and remediation.
Cases
Related Happenings
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
Timeline
-
13.10.2025 13:12 1 articles · 7mo ago
RondoDox expands exploitation to 56 vulnerabilities
Campaign Scope UpdateTrend Micro says RondoDox expanded its targeting to more than 50 vulnerabilities across over 30 vendors, including routers, DVRs, NVRs, CCTV systems, web servers, and other internet-exposed network devices. The campaign also broadened distribution through a loader-as-a-service setup that co-packages RondoDox with Mirai/Morte payloads.
Show sources
- Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors — thehackernews.com — 13.10.2025 13:12
-
10.10.2025 22:22 2 articles · 7mo ago
RondoDox edge-device exploitation wave
Initial DisclosureIn **May**, RondoDox began with exploitation of **one critical** and **one high-severity n-day** vulnerability in popular **DVRs** and **routers**. At that stage, the activity was narrower but already pointed at hard-to-patch edge devices.
Show sources
- RondoDox Botnet: an 'Exploit Shotgun' for Edge Vulns — www.darkreading.com — 10.10.2025 22:22
- RondoDox Botnet: an 'Exploit Shotgun' for Edge Vulns — www.darkreading.com — 10.10.2025 22:22