RondoDox IoT Botnet Expands to 56 Vulnerabilities

Security researchers have reported a significant expansion in the RondoDox IoT botnet campaign, which now exploits 56 vulnerabilities across more than 30 vendors, having initially targeted only two flaws.

Trend Micro's Zero Day Initiative and research teams have observed active exploitation globally since mid-2025, with several vulnerabilities now listed in the United States Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue.

The initial analysis by FortiGuard Labs earlier this year identified the botnet exploiting two vulnerabilities, CVE-2024-3721 in TBK DVR devices and CVE-2024-12856 in Four-Faith routers.

RondoDox operators have adopted what Trend Micro describes as an 'exploit shotgun' approach, deploying multiple exploits to identify successful target compromises.

Their expanded arsenal includes 50 command injection flaws, two path traversal flaws, and instances of buffer overflow, authentication bypass, and memory corruption vulnerabilities.

RondoDox uses XOR encoding to obfuscate its configuration data and mimics legitimate traffic from gaming platforms and VPN services to evade detection. The malware disguises itself as traffic from services like Valve, Minecraft, Roblox, Fortnite, Discord, OpenVPN, and WireGuard.

RondoDox is distributed through a loader-as-a-service infrastructure, packaged alongside Mirai and Morte payloads. CloudSEK researchers discovered the operation through exposed command and control logs over six months, reporting a 230 percent attack spike between July and August 2025.