The RondoDox botnet’s developers have significantly increased their exploit list and are taking a more targeted approach to exploitation, Bitsight reports.
Initially detailed in the second half of last year, RondoDox has been active since at least March 2025, when security researchers observed the first exploitation attempts associated with it.
Since April 2025, the botnet’s operators engaged in systematic vulnerability scanning, mostly taking a ‘shotgun’ approach to compromising devices.
By October, it was targeting 56 vulnerabilities, including flaws without a CVE assigned, and in December, it was seen targeting React2Shell.
Now, Bitsight says the botnet’s exploit list has been expanded to 174 different vulnerabilities, as its developers are closely following vulnerability disclosures, targeting bugs before CVEs are assigned.
Furthermore, RondoDox has shifted its exploitation strategy to a more targeted approach. Instead of throwing multiple exploits at the same device, in the shotgun method observed before, they are now focusing on specific flaws that are more likely to lead to infections.
RondoDox, which shares numerous commonalities with Mirai, is also known for targeting weak credentials and unsanitized input for initial access. What sets it apart from Mirai is its focus on launching distributed denial-of-service (DDoS) attacks instead of scanning and infecting additional devices.
To expand the botnet, RondoDox’s operators scan the internet for vulnerable devices using their own infrastructure, and then proceed to deploy implants that evade detection, remove other malware, find a suitable directory to drop the main binary into, and execute it.
Bitsight’s investigation into the botnet revealed the use of over two dozen IP addresses for device exploitation, payload distribution, and bot management, including residential IPs that likely belong to compromised systems.
RondoDox’s operators are constantly adding and removing vulnerabilities from their exploit list and have been observed using as many as 49 bugs in a single day. Most of the bugs, however, are dropped immediately.
“When examining how often each vulnerability was used, a clear long-tail trend emerges. While the average vulnerability was used for 18 days, nearly half of the 174 vulnerabilities identified (84, or 48%) were exploited for just a single day. This suggests that they try vulnerabilities and act based on the success rate of each,” Bitsight notes.
According to the cybersecurity firm, the botnet’s operators appear to be closely looking at publications related to vulnerabilities, as in at least one case, they exploited the security defect two days before the public disclosure.
Although they stay up to date with new flaws, the botnet’s operators fail to properly implement the available exploits for them, Bitsight says.
The cybersecurity firm also notes that the botnet does not appear to use a loader-as-a-service for distribution and that previous reports of P2P functionality in RondoDox do not appear to be accurate.
Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet
Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience
Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques
Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects
