You are currently viewing RondoDox Rampage: A Multivendor “Exploit-Shotgun” Botnet

RondoDox Rampage: A Multivendor “Exploit-Shotgun” Botnet

  • Post author:
  • Reading time:8 mins read

Executive Summary

RondoDox is an emerging, multivector botnet that has been observed weaponizing 56 distinct vulnerabilities across 30+ device and vendor types (routers, DVRs/NVRs, CCTV, SOHO appliances, web servers, and more) to build large-scale DDoS-capable botnets and deploy secondary payloads (Mirai/Morte variants via loader-as-a-service). The campaign – detected in active scanning and exploitation since mid-2025 – uses an “exploit-shotgun” approach (try many CVEs and weak/unsanitized inputs), custom obfuscated binaries and shell-script loaders, multi-layer persistence, and advanced evasion such as mimicking gaming and VPN traffic to hide attack traffic. Defenders must treat internet-exposed infrastructure as high risk: patch known flaws, lock down default/weak credentials, and hunt for the botnet’s specific artifacts and C2 indicators.

Background on RondoDox

RondoDox was first documented publicly by FortiGuard in mid-2024/July 2025 telemetry as a lightweight ELF-based bot with custom libraries and loader scripts; Trend Micro and other researchers later expanded reporting to show it evolved into a loader operation that bundles RondoDox with Mirai/Morte payloads and targets a broad set of devices. Researchers describe the campaign as an opportunistic, automated exploitation framework that performs wide scanning and attempts dozens of exploits (including N-day and un-CVE’d vendor endpoints) to recruit diverse IoT/SOHO/edge devices into DDoS botnets. The botnet has been observed disguising attack traffic as legitimate game/VPN/RTC protocols to evade network filtering.

Vulnerability Details

Here are the details of a few of the vulnerabilities exploited in RondoDox campaigns:

CVE IDCVSS ScoreEPSS ScoreVulnerability TypeAffected Software / DevicesPatched In / Remarks
CVE-2015-20519.8 (Critical)93.18%Command Injection (HNAP interface)D-Link DIR-645 routers  with firmware 1.04b12 and earlierFirmware v1.05B01 / disconnect if end-of-life
CVE-2016-62778.8 (High)94.28%Command InjectionNetgear R6400, R7000, R8000 and other routersFirmware 1.0.1.18.Beta, 1.0.1.14.Beta, 1.0.3.26.Beta and others
CVE-2021-420139.8 (Critical)94.41%Remote Code ExecutionApache HTTP Server 2.4.49 and 2.4.50Apache 2.4.51
CVE-2025-18295.3 (Medium)1.07%OS Command InjectionTOTOLINK X18 9.1.0cu.2024_B20220329N/A
CVE-2025-40088.7 (High)45.70%Remote Code ExecutionMeteobridge before  Version 6.2 Version 6.2
CVE-2023-475658.8 (High)79.31%Authentication BypassQNAP VioStor NVR models running QVR Firmware 4.xQVR Firmware 5.0.0
CVE-2014-62719.8 (Critical)94.22%Shellshock (Environment injection)GNU Bash < 4.3Bash patches released for various distributions
CVE-2024-37216.3 (Medium)64.49%OS Command InjectionTBK DVR-4104 and DVR-4216 up to 20240412N/A
CVE-2024-128567.2 (High)40.66%OS Command InjectionFour-Faith router models F3x24 and F3x36N/A
CVE-2023-13898.8 (High)93.91%Command InjectionTP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 202302191.1.4 Build 20230219

Infection Method

RondoDox campaigns follow a rapid automated chain:

  1. Recon & Scanning: Large-scale scanning for internet-exposed services and endpoints (routers, DVRs, NVRs, web interfaces). Researchers first observed broad scanning and exploitation attempts in June–October 2025.
  2. Exploit Shotgun: Try a library of exploit payloads across many vendor-specific endpoints (e.g., /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ with manipulated mdb/mdc parameters for TBK DVRs; apply.cgi for Four-Faith routers; known TP-Link and Netgear RCE vectors). If one succeeds the loader proceeds.
  3. Loader / Downloader Execution: Victim runs a shell-script downloader (BASH) which: ignores common signals, checks for writable locations (/dev, /dev/shm, /tmp, /var/tmp, /data/local/tmp, /run/user/0, etc.), creates /tmp/lib or similar, downloads and executes the appropriate architecture binary (ARM/MIPS/x86/x86_64/AArch64, etc.), then clears command history. The loader may also deliver Mirai/Morte variants alongside RondoDox.
  4. Binary Execution & Unpacking: The RondoDox ELF decodes XOR-obfuscated configuration (key 0x21 or variant), recovers XOR-encoded C2 and filenames, then executes its main payload.
  5. Persistence & Tamper: RondoDox establishes multi-layer persistence: writes /etc/init.d/rondo, creates /etc/rc3.d/S99rondo, appends launch commands to /etc/rcS, /etc/init.d/rcS, /etc/inittab and adds crontab entries for user/root. It also changes permissions and creates symbolic links to maintain restart persistence.
  6. Self-Preservation / Anti-Analysis: It scans for analysis and admin tools (e.g., wget, curl, wireshark, gdb, tcpdump, strace, lsof, netstat, ss, ngrep, tcpdump, gdbserver, valgrind, sysdig, etc.) and kills or exits if known analysis tools are present; it clears traces and may rename system binaries (iptables -> random string) to disrupt recovery and complicate analysis.
  7. C2 & Command Execution: The malware decodes C2 (example XOR decoded IP 83.150.218.93) and connects to receive commands for DDoS tasks. Commands support HTTP, UDP and TCP flood modes and can request forging traffic to mimic gaming (Valve/Minecraft/Fortnite), chat platforms (Discord), or VPN/tunneling traffic (OpenVPN, WireGuard, STUN/DTLS/RTC) to evade detection.

Malware Behavior and Capabilities

RondoDox demonstrates a combined set of capabilities:

  • Multi-architecture loader: Shell script downloader that detects writable, non-noexec mounts and fetches binaries for multiple CPU architectures.
  • XOR-encoded configuration & obfuscation: Config and C2 strings obfuscated with XOR (key 0x21 reported); decodes at runtime.
  • Persistence: Writes init scripts (/etc/init.d/rondo), rc scripts (/etc/rc3.d/S99rondo), modifies /etc/rcS, and adds crontab entries.
  • Anti-analysis & anti-tool: Detects and terminates analysis/monitoring tools (e.g., wireshark, gdb, tcpdump, strace, valgrind) and kills competing malware/miners.
  • Binary tampering / disruption: Renames critical system binaries (iptables, ufw, passwd, shutdown, reboot, etc.) to random strings to disrupt recovery and hide persistence.
  • C2-driven DDoS: Capable of HTTP, UDP and TCP floods; can craft packets that impersonate game and VPN protocols (OpenVPN magic byte \x38 example) and use STUN/DTLS/RTC signatures, increasing detection complexity.
  • Loader-as-a-Service / co-packaging: Observed being distributed in loader chains that also deliver Mirai/Morte variants, enabling more destructive/versatile botnets.

Techniques Include (MITRE ATT&CK Mapping)

  • T1190 – Exploit Public-Facing Application: Remote exploitation of device web interfaces (e.g., TBK /device.rsp, Four-Faith apply.cgi, TP-Link, Netgear, Apache path traversal).
  • T1040 / T1595 – Active Scanning & Reconnaissance: Broad internet scanning for exposed endpoints and services (exploit-shotgun).
  • T1105 – Ingress Tool Transfer: Shell script downloader fetches binaries and payloads (RondoDox, Mirai/Morte).
  • T1547 – Boot or Logon Autostart Execution: Persistence via init scripts (/etc/init.d/rondo), /etc/rcS, /etc/inittab, and crontab entries.
  • T1498 – Network Denial of Service: DDoS capabilities for HTTP, UDP, and TCP floods.
  • T1027 – Obfuscated Files or Information: XOR-encoded configuration and custom obfuscation.
  • T1499 – Endpoint Denial of Service / Disruption: Renaming or corrupting system utilities to impede recovery (renaming iptables, passwd, shutdown, etc.).
  • T1071.001 – Application Layer Protocol: Web Protocols: C2 and attack traffic disguised as gaming, Discord, OpenVPN/WireGuard, STUN/DTLS/RTC to blend with legitimate traffic.

Visual: RondoDox Attack Flow

[Internet-scale scanning -> Exploit shotgun across known endpoints/CWEs]
-> [Successful exploit (e.g., TBK DVR CVE-2024-3721 / Four-Faith CVE-2024-12856 / TP-Link CVE-2023-1389)]
-> [Shell script downloader executed -> fetch arch-specific ELF (rondo.x86_64 / arm / mips etc.)]
-> [Decode XOR config (key 0x21) -> set up persistence (/etc/init.d/rondo, /etc/rc3.d/S99rondo, crontab)]
-> [Disable/kill analysis tools; rename system binaries to obstruct recovery]
-> [Connect to C2 (e.g., 83.150.218.93) -> receive DDoS commands]
-> [Launch HTTP/UDP/TCP floods impersonating gaming/VPN/RTC traffic OR hand off to Mirai/Morte payloads via loader-as-a-service]

IOCs (Indicators of Compromise)

Network / Hosts: Example C2 and infrastructure observed: 83[.]150[.]218[.]93, 45[.]135[.]194[.]34, 14[.]103[.]145[.]202, 14[.]103[.]145[.]211, 78[.]153[.]149[.]90, 154[.]91[.]254[.]95.


Files / Scripts: Downloader shell script that creates /tmp/lib, clears history, and writes rondo binaries; /etc/init.d/rondo, /etc/rc3.d/S99rondo; /tmp/contact.txt containing vanillabotnet@protonmail[.]com.
Behavioral: Presence of XOR-encoded config with key 0x21 in binaries; unexpected renaming of system utilities (iptables, ufw, passwd, shutdown, reboot, halt, poweroff, etc.) to random strings; new crontab entries or modifications to /etc/inittab and /etc/rcS.

A few known SHA-256 hashes of binaries related to the RondoDox botnet are listed below.

Downloader:

c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9

RondoDox:

e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4


Network Traffic: Flood traffic on HTTP/UDP/TCP, long-running streams that mimic OpenVPN/WireGuard/game protocols (OpenVPN magic byte \x38 in payloads), and persistent C2 connections to the above IPs.

Threat Actor Attribution

No single nation-state APT attribution has been publicly confirmed for RondoDox. Research indicates an opportunistic cyber-crime operation (or a criminal-run loader-as-a-service ecosystem) is behind RondoDox distribution, sometimes co-packaging Mirai/Morte payloads. Geography of observed traffic and botnet IP aggregation suggests globally distributed infrastructure and possible ties to existing DDoS botnet operators (observation of traffic origins from Brazil, China, Iran, etc., in related campaigns), but formal attribution remains open. Analysts caution that RondoDox’s modular loader model enables rapid weaponization by multiple affiliate operators.

Mitigation Steps

  1. Patch / Firmware Updates: Immediately apply vendor patches for known CVEs (e.g., vendor advisories for CVE-2024-3721, CVE-2024-12856, CVE-2023-1389, and other device CVEs listed by Trend Micro/FortiGuard). If no patch exists, disable/unexpose the affected management interface.
  2. Remove Internet Exposure: Block direct internet access to device management ports; place devices behind VPNs, management jump hosts, or segmented management networks.
  3. Credential Hygiene: Replace default credentials and implement strong unique passwords; disable weak/anonymous accounts; enforce rate-limits on login attempts.
  4. Harden Hosts & Detect Tampering: Monitor for creation of /etc/init.d/rondo, /etc/rc3.d/S99rondo, unexpected crontab entries, and renaming of system binaries (iptables, passwd, shutdown, reboot). Maintain immutable backups and verify binary integrity (checksums).
  5. Network Egress & Protocol Controls: Block or inspect outbound connections to known C2 IPs; use protocol-aware filtering to detect OpenVPN/WireGuard/game protocol impersonation patterns (e.g., OpenVPN magic byte \x38).
  6. Behavioral Detection: Create EDR/IDS/IPS rules to detect the loader shell script patterns (clearing history, creating /tmp/lib), XOR decoding patterns, and the RondoDox binary signatures. Fortinet detections list: BASH/RondoDox.A!tr.dldr and ELF/RondoDox.CTO!tr.
  7. Hunt for Secondary Payloads: Look for Mirai/Morte indicators (telnet brute/weak creds, default password use) co-existing on the same hosts as RondoDox infections; uninstall or block known Mirai variants.
  8. Segment & Rate-Limit: Network segmentation to limit lateral recruitment of devices; rate-limit traffic from IoT device segments to prevent them being used in large floods.
  9. Threat Intelligence & Blocklists: Ingest IoCs (C2 IPs) into firewall/IPS/URL filtering solutions and subscribe to vendor feeds (FortiGuard/Trend Micro) for updated detections.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.