RondoDox botnet expands mining and DDoS capabilities
Malware Activity
Summary
Hide ▲
Show ▼
RondoDox botnet now combines cryptocurrency mining with XMRig and DDoS attacks, expanding both monetization and disruption risk across exposed systems. It reaches targets by exploiting over 170 known vulnerabilities in internet-facing applications and then drops a shell script to prepare the infection. The malware also performs anti-analysis steps and removes competing malware before installing the right botnet binary for the host architecture. It can launch DoS attacks across the internet, transport, and application layers when commanded.
Related Happenings
MacOS LOTL detection and hardening guidance against native-tool abuse
Defensive Guidance
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...
MacOS LOTL detection and hardening guidance against native-tool abuse
Defensive GuidanceAbout this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...
PowMix phishing campaign targeting Czech workforce
Campaign
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
How related:
Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025.
About this happening:
The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...
PowMix phishing campaign targeting Czech workforce
CampaignHow related: Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025.
About this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware Activity
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware ActivityAbout this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
DKnife gateway-monitoring malware framework
Malware Activity
First: 06.02.2026 19:00
Last: 06.02.2026 19:00
Sources 1
About this happening:
The discovery of **DKnife** exposes a **long-running malware framework** that has remained active since at least **2019**, raising the risk of **gateway-level traffic interception...
DKnife gateway-monitoring malware framework
Malware ActivityAbout this happening: The discovery of **DKnife** exposes a **long-running malware framework** that has remained active since at least **2019**, raising the risk of **gateway-level traffic interception...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
Timeline
-
16.04.2026 20:52 2 articles · 1mo ago
RondoDox botnet adds XMRig mining and layered DDoS
Technical Analysis UpdateBitsight-linked analysis describes the RondoDox botnet as an actively maintained threat that can mine cryptocurrency with XMRig while retaining distributed denial-of-service functionality across the internet, transport, and application layers. The malware also exploits over 170 known vulnerabilities in internet-facing applications for initial access, drops a shell script that performs anti-analysis and removes competing malware, and then installs the appropriate botnet binary for the host architecture.
Show sources
- Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic — thehackernews.com — 16.04.2026 20:52
- Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic — thehackernews.com — 16.04.2026 20:52