The Shotgun Approach: BitSight Exposes RondoDox Botnet’s Rapid-Fire 174-Exploit Arsenal Targeting IoT
Ddos 
As the Internet of Things (IoT) ecosystem swells toward an estimated 41.1 billion connected devices by 2030, the digital attack surface is expanding at a breakneck pace. Amidst this growth, JoΓ£o Godinho, Principal Research Scientist at BitSight, has released a detailed exposΓ© on RondoDoxβa relentless botnet that has been aggressively scanning and exploiting internet-exposed devices since May 2025.
What sets RondoDox apart from typical botnets is its sheer variety of weapons. Researchers identified a staggering 174 different vulnerabilities implemented within its arsenal, a “largely uncommon number for these types of threats”.
The botnet employs what Godinho describes as a “shotgun approach,” where it fires multiple exploits at a single endpoint in rapid succession, hoping one will stick. At its height, the botnet reached a peak of 15,000 exploitation attempts in a single day.
“The operators of RondoDox have been using a shotgun approach, where they send multiple exploits to the same endpoint, hoping for one to work,” JoΓ£o wrote.
While the initial strategy focused on volume, the RondoDox operators have shown a keen ability to adapt. Since early 2026, the number of unique daily vulnerabilities used has decreased, suggesting a shift toward high-impact, recently disclosed flaws.
A key takeaway from the report is the speed at which the group adopts new threats. In some instances, the operators began exploiting vulnerabilities before a CVE was even officially published, trailing public Proof-of-Concept (PoC) releases instead.
The botnetβs infrastructure is a complex web of hosting and exploiting nodes. Interestingly, while the exploitation infrastructure typically belongs to hosting providers that accept cryptocurrency, the hosting infrastructure (where payloads are stored) often consists of compromised residential IP addresses.
BitSightβs research found that many of these residential IPs were exposing vulnerable services, such as:
- UniFi Protect interfaces.
- Control4 home automation systems.
- TCL Android TV webservers.
“We’ve identified infrastructure belonging to RondoDox… which include specific indicators… like the usage of the name ‘rondo’ in the scripts,” the researcher confirms.
While RondoDox shares source code commonalities with the infamous Mirai botnet, its mission is more singular. Unlike Mirai, which can scan and exploit other systems directly, the “sole purpose” of the RondoDox malware binaries is to execute Denial of Service (DoS) attacks.
The infection chain is a multi-step process designed to “hinder detection and analysis” and even “attempt to remove other malware” already present on the victim’s device to ensure RondoDox has total control.
The report also serves to correct “unsustained claims” within the research community. Specifically, Godinho notes that claims of RondoDox operating as a “Loader-as-a-Service” or using “P2P infrastructure” lack evidence. Analysis confirms that the supposed “C2 IPs” in these claims were actually just residential hosts used for payload storage.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
