Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

Nov. 26, 2025, 11:18 a.m.

Description

A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable security measures, remove competing malware, and download architecture-specific second-stage binaries. The campaign has been active since July 2025, with consistent use of a handful of distribution points. The actor targets home routers and other IoT devices using multiple CVEs and generic command injection attempts.

External References

https://www.f5.com/labs/articles/tracking-rondodox-malware-exploiting-many-iot-vulnerabilities
https://otx.alienvault.com/pulse/6926ce4acf381a3fb07c9efb
Tags
command injection
iot
botnet
mirai
multi-platform
CVE-2024-10914
CVE-2023-1389
CVE-2025-4008
CVE-2024-3721
CVE-2025-34043
rondodox
CVE-2025-9528
CVE-2013-1599
CVE-2022-36553
CVE-2020-10987
2025-11-26
shell script
residential infrastructure
mirai variant
CVE-2020-9054
CVE-2023-23333
CVE-2014-3206
CVE-2023-41011
CVE-2022-40619

Date

  • Created: Nov. 26, 2025, 9:54 a.m.
  • Published: Nov. 26, 2025, 9:54 a.m.
  • Modified: Nov. 26, 2025, 11:18 a.m.

Indicators

  • f11ede0c682e818357943a166239867a19b0c1d321e84213e28e21beb2c49c87
  • f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae
  • e683864f4016b24b164ebaa5d900963b730a1df45bcbf9fa947b644d673dbc21
  • df9f756f355d1122e46ce12bb84553c89cdab71c6402a257b78bc768578f51c7
  • cf7a5027a0e562b7749c8025c0394bc3c3208b7b5ce070dcd15787450332efa8
  • c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d
  • c789f239a9cf039752e3926ee3b4387b3f6a1f6657531277caebf90685b018a2
  • 8634f53097f511dd1b7c253a0fbc4bc468e3ee38abd0490a39dd92edaee905de
  • a65e3438103d31ccb213083b2b6ef40b558580b4246251b558fc68e6a2a2ba92
  • 81200976b8717c340041eee6ff051e1a87f8f73d86a9e17465b34be4c9488839
  • 69a17194dba061f56ec3a23debfa1d3fdee7dd92789af17038387b294093aa5d
  • 5cbe0f93c03b04b6100545448fee6db2a032a7cb13be45421d4ab377d1f88bf6
  • 470a74b888617299820acbe2daf03001eca7dc64a7002cd00beb163b3663187e
  • 3a4afea2c16905816b922229dc5d03311d58c470fa4580dcd9248302bcdfbdc4
  • 3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa
  • 2af74246497c671cc9976cd9919fdc4beaa459e9b4b30a42f561b45919da950b
  • 032d7b946259add6db097d3ee4375caffe2c7dcf7da81e72c32eaa24b3bde164
  • 17be568b6b2acb3b237c6dc81b3692976bb83eea76a7a26fd405805d34901016
  • 83.252.42.112
  • 38.59.219.27
  • 74.194.191.52
  • 192.183.232.142
  • http://74.194.191.52/rondo.mips||curl
  • http://74.194.191.52/rondo.mips||busybox
  • http://74.194.191.52/rondo.mips
  • bang2012@tutanota.de
Download all indicators here!

Attack Patterns

  • RondoDox
  • Mirai
  • RondoDox

Linked vulnerabilities

CVE-2013-1599

None
Published:

CVE-2014-3206

None
Published:

CVE-2017-9841

None
Published:

CVE-2019-9082

None
Published:

CVE-2020-10987

None
Published:

CVE-2020-8958

None
Published:

CVE-2020-9054

None
Published:

CVE-2022-22947

None
Published:

CVE-2022-24847

None
Published:

CVE-2022-36553

None
Published:

CVE-2022-40619

None
Published:

CVE-2022-42475

None
Published:

CVE-2023-1381

None
Published:

CVE-2023-1389

None
Published:

CVE-2023-23333

None
Published:

CVE-2023-41011

None
Published:

CVE-2024-10914

8.1
    Dlink
  • Dns-320 Firmware
  • Dns-320
  • Dns-320lw Firmware
  • Dns-320lw
  • Dns-325 Firmware
  • Dns-325
  • Dns-340l Firmware
  • Dns-340l
Published: November 6, 2024

CVE-2024-3721

None
Published:

CVE-2024-4577

9.8
    PHP
Published: June 9, 2024

CVE-2025-31324

10.0
    Sap
  • Sap Netweaver Visual Composer
Published: April 24, 2025

CVE-2025-34043

10.0
    Vacron
  • Network Video Recorder
Published: June 26, 2025

CVE-2025-4008

9.4
    Onekey
  • Meteobridge
Published: May 21, 2025

CVE-2025-9528

5.1
    Linksys
  • E1700
Published: August 27, 2025