Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RondoDox multivector loader-as-a-service campaign

Campaign
First reported
Last updated
Happening score
H score 56
1 unique sources, 1 articles

Summary

Hide ▲

The RondoDox botnet campaign has expanded into multivector exploitation and loader-as-a-service distribution, widening risk to internet-exposed infrastructure across 30+ vendors and 50+ vulnerabilities. The broadened reach makes exposed routers, DVRs, NVRs, CCTV systems, web servers, and other network devices more likely to be enrolled into the botnet. A detected use of CVE-2023-1389 on TP-Link Archer routers shows the operation is actively abusing public-facing flaws. The added Mirai/Morte payload chain increases detection and remediation pressure.

Cases

RondoDox edge and web exploitation (3)

Related Happenings

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

D-Link DIR-823X command-injection RCE (CVE-2025-29635)

Vulnerability
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...

Open Happening

TBK DVR command injection flaw actively exploited (CVE-2024-3721)

Vulnerability
First: 20.04.2026 16:01 Last: 20.04.2026 16:01 Sources 1

About this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...

Open Happening

TP-Link router authenticated command injection (CVE-2023-33538)

Vulnerability
First: 20.04.2026 10:50 Last: 20.04.2026 10:50 Sources 1

About this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...

Open Happening

Timeline

  1. 13.10.2025 13:12 1 articles · 7mo ago

    RondoDox exploits CVE-2023-1389 on TP-Link Archer routers

    Exploitation Observed

    Trend Micro detected a RondoDox intrusion attempt on June 15, 2025, when attackers exploited CVE-2023-1389 against TP-Link Archer routers. The flaw had already been under repeated active exploitation after its late-2022 disclosure.

    Show sources
    Open in new tab
  2. 13.10.2025 13:12 2 articles · 7mo ago

    RondoDox expands into multivector loader-as-a-service operations

    Campaign Scope Update

    Trend Micro described RondoDox as using an exploit shotgun strategy to target more than 50 vulnerabilities across over 30 vendors and a broad set of internet-exposed infrastructure, including routers, digital video recorders, network video recorders, CCTV systems, web servers, and other network devices. The campaign also broadened distribution through a loader-as-a-service infrastructure that co-packages RondoDox with Mirai/Morte payloads, increasing detection and remediation urgency.

    Show sources
    Open in new tab