RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits

Nov. 10, 2025, 11:56 a.m.

Description

The RondoDox botnet has undergone a significant evolution, expanding its capabilities and target range. This new variant, RondoDox v2, demonstrates a 650% increase in exploitation vectors, moving beyond niche DVR targeting to include enterprise applications. Key features include over 75 exploitation vectors, new command and control infrastructure utilizing compromised residential IPs, enhanced obfuscation and persistence mechanisms, and an expanded ecosystem of targets. The botnet now employs a multi-architecture approach, supporting 16 different binary variants to maximize its reach across diverse device types.

External References

https://beelzebub.ai/blog/rondo-dox-v2/
https://otx.alienvault.com/pulse/6911c73e9d8c6d03d8d71b34
Tags
obfuscation
exploit
persistence
ddos
iot
botnet
CVE-2015-2051
enterprise
CVE-2018-10561
CVE-2021-41773
CVE-2024-7029
CVE-2024-10914
CVE-2023-1389
CVE-2017-18368
CVE-2024-12856
CVE-2024-12847
CVE-2025-22905
CVE-2023-26801
CVE-2023-52163
CVE-2025-1829
CVE-2025-4008
CVE-2025-5504
CVE-2024-3721
CVE-2025-34037
rondodox
CVE-2022-44149
2025-11-10
CVE-2019-16920
CVE-2025-7414
CVE-2023-47565
CVE-2016-6277
CVE-2022-37129
CVE-2022-36553
CVE-2014-1635
CVE-2018-11714
CVE-2017-18369
CVE-2020-10987
multi-architecture
CVE-2021-42013
CVE-2023-25280
command-injection
CVE-2023-51833
CVE-2014-6271
CVE-2020-27867
CVE-2020-25506

Date

  • Created: Nov. 10, 2025, 11:06 a.m.
  • Published: Nov. 10, 2025, 11:06 a.m.
  • Modified: Nov. 10, 2025, 11:56 a.m.

Indicators

  • 691e4ec280aaff33270f33a9bb48a3fc38e2bd91c7359e687e3f0bd682f20b54
  • 83.252.42.112
  • 38.59.219.27
  • 83.150.218.93
  • http://74.194.191.52/rondo.xcw.sh||busybox
  • http://74.194.191.52/rondo.xqe.sh|sh&echo
  • http://74.194.191.52/rondo.qre.sh||busybox
  • http://74.194.191.52/rondo.[variant].sh
  • http://74.194.191.52/rondo.[arch].sh]
  • http://74.194.191.52/rondo.[arch].sh
  • http://74.194.191.52/rondo.x86_64
  • http://74.194.191.52/rondo.sparc
  • http://74.194.191.52/rondo.powerpc-440fp
  • http://74.194.191.52/rondo.powerpc
  • http://74.194.191.52/rondo.mipsel
  • http://74.194.191.52/rondo.armv7l
  • http://74.194.191.52/rondo.armv6l
  • http://74.194.191.52/rondo.armv5l
  • http://74.194.191.52/rondo.armv4l
  • http://74.194.191.52/rondo.arc700
Download all indicators here!

Attack Patterns

  • RondoDox
  • RondoDox

Additional Informations

  • Technology
  • Telecommunications
  • New Zealand

Linked vulnerabilities

CVE-2014-1635

None
Published:

CVE-2014-6271

None
Published:

CVE-2015-2051

None
Published:

CVE-2016-6277

None
Published:

CVE-2017-10271

None
Published:

CVE-2017-18368

None
Published:

CVE-2017-18369

None
Published:

CVE-2018-10561

None
Published:

CVE-2018-11714

None
Published:

CVE-2019-16920

None
Published:

CVE-2020-10987

None
Published:

CVE-2020-25506

None
Published:

CVE-2020-27867

None
Published:

CVE-2021-41773

None
Published:

CVE-2021-42013

None
Published:

CVE-2022-36553

None
Published:

CVE-2022-37129

None
Published:

CVE-2022-44149

None
Published:

CVE-2023-1389

None
Published:

CVE-2023-25280

None
Published:

CVE-2023-26801

None
Published:

CVE-2023-47565

None
Published:

CVE-2023-51833

None
Published:

CVE-2023-52163

5.9
    Digiever DS-2105 Pro
Published: February 3, 2025

CVE-2024-10914

8.1
    Dlink
  • Dns-320 Firmware
  • Dns-320
  • Dns-320lw Firmware
  • Dns-320lw
  • Dns-325 Firmware
  • Dns-325
  • Dns-340l Firmware
  • Dns-340l
Published: November 6, 2024

CVE-2024-12847

9.8
    NETGEAR DGN1000
Published: January 10, 2025

CVE-2024-12856

7.2
    Four-Faith router F3x24
    Four-Faith router F3x36
Published: December 27, 2024

CVE-2024-3721

None
Published:

CVE-2024-7029

8.8
    UNKNOWN
Published: August 2, 2024

CVE-2025-1829

6.3
    TOTOLINK X18
Published: March 2, 2025

CVE-2025-22905

9.8
    RE11S
Published: January 16, 2025

CVE-2025-34037

10.0
    Linksys
  • E-Series Router
  • Wrt Series Router
  • Wag Series Router
  • Wap Series Router
  • Wes Series Router
  • Wet Series Router
  • Wifi N Access Point
Published: June 24, 2025

CVE-2025-4008

9.4
    Onekey
  • Meteobridge
Published: May 21, 2025

CVE-2025-5504

5.3
    Totolink
  • X2000r
Published: June 3, 2025

CVE-2025-7414

None
Published: