RondoDox Botnet Unleashed: New Malware Uses ‘Exploit Shotgun’ to Target 50+ Router and IoT Flaws
Ddos 
Trend Micro has uncovered a rapidly expanding botnet campaign dubbed RondoDox, which is targeting a wide spectrum of internet-exposed devices β from routers and DVRs to CCTV systems and industrial networking gear. The campaign leverages over 50 distinct exploits across more than 30 vendors, posing a severe risk to global infrastructure.
βThe campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure,β the Trend Micro report warned.
According to Trend Microβs Zero Day Initiative (ZDI) and Trend Research teams, the first intrusion attempt linked to RondoDox was detected on June 15, 2025, when the threat actors exploited a known vulnerability from the Pwn2Own Toronto event.
The exploited flaw, CVE-2023-1389, affects the TP-Link Archer AX21 Wi-Fi router, originally disclosed during ZDIβs consumer router hacking competition.
βOur first RondoDox intrusion attempt began on June 15, 2025, when we identified a familiar vulnerability from our Pwn2Own Toronto event,β the report explained, noting that βvulnerabilities presented at our Pwn2Own consumer event continue to be popular with botnet operators.β
RondoDox doesnβt rely on precision. Instead, it fires an βexploit shotgun,β testing dozens of known and unpatched vulnerabilities across a wide attack surface β routers, DVRs, NVRs, CCTV systems, web servers, and other internet-connected devices.
The botnet leverages multi-architecture payloads, enabling infections on both ARM- and MIPS-based devices. This approach, Trend Micro noted, allows RondoDox to βgain shell access and, ultimately, to drop multiarchitecture payloads,β giving attackers persistent control over compromised endpoints.
Many of the exploited flaws date back years β some as old as CVE-2014-6271 (Shellshock) β while others, such as CVE-2025-1829 (TOTOLINK setMtknatCfg) and CVE-2025-5504 (TOTOLINK X2000R), are newly added to the botnetβs arsenal.
Trend Micro emphasized that βactive exploitation has been observed globally since mid-2025, with several CVEs now included in CISAβs Known Exploited Vulnerabilities (KEV) catalog.β
The latest Trend Micro telemetry shows RondoDox has evolved beyond a simple botnet β it now operates using a loader-as-a-service (LaaS) model.
This infrastructure distributes RondoDox alongside Mirai and Morte payloads, effectively blending multiple botnet strains under a shared delivery framework.
Trend Micro observed that CloudSEK and Fortinet also detected the same hybrid infrastructure, where RondoDox βco-packages with Mirai/Morte payloads β making detection and remediation more urgent.β
RondoDoxβs lifecycle traces back to responsible disclosures at Pwn2Own Toronto 2022, where researchers from Qrious Secure β Tri Dang and Bien Pham (@bienpnn) β successfully demonstrated command injection and authentication bypass vulnerabilities in TP-Link routers.
Since then, Trend Micro has tracked the following milestones:
- December 2022: TP-Link bug discovered during Pwn2Own Toronto.
- January 2023: Vulnerability (CVE-2023-1389) disclosed and patched.
- June 2025: First RondoDox exploitation detected in the wild.
- September 2025: Spike in RondoDox activity, spreading via loader-as-a-service infrastructure.
Trend Microβs analysis lists 56 vulnerabilities exploited by RondoDox, 38 of which have CVE identifiers. Command injection remains the weapon of choice, accounting for nearly 90% of exploits.
The botnetβs targets span dozens of vendors, including D-Link, Netgear, TP-Link, TOTOLINK, QNAP, Cisco, Zyxel, and Apache.
βRondoDoxβs expanded arsenal now includes several additional CVEs and exploitation patterns observed in the wild,β the researchers noted. βItβs a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operationβ.
Some of the most critical CVEs observed include:
- CVE-2024-3721 β TBK DVR command injection
- CVE-2024-12856 β Four-Faith router remote execution
- CVE-2025-22905 β Edimax RE11S router
- CVE-2023-47565 β QNAP VioStor NVR
- CVE-2018-10561 β Dasan GPON home router
Related Posts:
- RondoDox: Sophisticated Botnet Exploits TBK DVRs & Four-Faith Routers for DDoS Attacks
- CVE-2024-7339: DVR Vulnerability Exposes Over 400,000 Devices to Hackers
- Synology Issues Patches for Critical Camera Flaws Discovered at Pwn2Own
- Pwn2Own: Firefox Hacked with JavaScript Zero-Days – Details on the Exploits
- New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
