Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RondoDox botnet payload deployment in December 2025

Malware Activity
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The RondoDox botnet was actively dropping cryptocurrency miners, the /nuts/bolts loader and health checker, and the /nuts/x86 Mirai variant onto infected devices in December 2025. That activity shows a live malware operation focused on expanding control, suppressing rivals, and keeping compromised hosts under management. The behavior matters because it combines payload delivery with persistence and competing-malware removal on already infected systems.

Related Happenings

Glassworm botnet command-and-control disruption

Malware Activity
First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Open Happening

Daemon Tools Lite trojanized installer campaign

Campaign
First: 07.05.2026 12:30 Last: 07.05.2026 12:30 Sources 1

About this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...

Open Happening

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

Open Happening

DAEMON Tools trojanized-installer stealer and backdoor activity

Malware Activity
First: 05.05.2026 22:21 Last: 05.05.2026 22:21 Sources 1

About this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...

Open Happening

QUIC RAT delivered through compromised DAEMON Tools installers

Malware Activity
First: 05.05.2026 19:07 Last: 05.05.2026 19:07 Sources 1

About this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...

Latest development: 07.05.2026 12:30

Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.

Open Happening

Timeline

  1. 01.01.2026 11:19 2 articles · 4mo ago

    CloudSEK discloses RondoDox payload deployment against Next.js servers and IoT devices

    Initial Disclosure

    CloudSEK disclosed a persistent nine-month RondoDox campaign targeting IoT devices and web applications, noting that December 2025 activity used React2Shell (CVE-2025-55182) against vulnerable Next.js servers and attempted to drop /nuts/poop miners, /nuts/bolts as a botnet loader and health checker, and /nuts/x86 as a Mirai botnet variant. CloudSEK also said /nuts/bolts terminates competing malware and coin miners, removes prior campaign artifacts, sets persistence through /etc/crontab, and continuously scans /proc to prevent reinfection by rival actors.

    Show sources
    Open in new tab