A new and fast-growing botnet dubbed RondoDox is shaking up the global cybersecurity landscape with its “shotgun” exploitation strategy, targeting over 50 known and unknown vulnerabilities across a vast array of internet-connected devices. First detected in mid-2025, the botnet has expanded rapidly, infecting routers, servers, cameras, and DVRs from more than 30 different vendors.
Researchers at Trend Micro and CloudSek describe RondoDox as a loader-as-a-service operation, distributing alongside notorious malware like Mirai and Morte. Once inside, compromised devices are hijacked for cryptocurrency mining, DDoS attacks, and as footholds for enterprise intrusions. The botnet’s operators rotate their command-and-control infrastructure and disguise traffic as legitimate network activity to stay ahead of detection efforts.
Astonishingly, attacks attributed to RondoDox have surged 230% since mid-2025, underscoring how quickly it’s scaling across the global internet. Its exploitation toolkit includes both publicly known CVEs and non-public vulnerabilities, many of which remain unpatched. With its wide compatibility across architectures like ARM, MIPS, and Linux, RondoDox is proving dangerously adaptable and persistent.
This episode examines how RondoDox works, why its “shotgun” exploitation method is so effective, and what it signals about the evolving malware-as-a-service ecosystem driving modern cyberattacks.
#RondoDox #Botnet #CyberSecurity #DDoS #Cryptojacking #Mirai #Morte #TrendMicro #CloudSek #IoTSecurity #VulnerabilityManagement #CISA #CyberThreats #InfoSec #NetworkSecurity #MalwareAsAService #ZeroDay #ExploitCampaign #Cybercrime
