RondoDox botnet targets 174 flaws, reaching 15,000 daily exploit attempts in a more focused and strategic campaign.
RondoDox botnet is ramping up attacks, targeting 174 vulnerabilities with up to 15,000 daily exploitation attempts in a more focused and strategic campaign, Bitsight reported.
“We gathered all these exploit attempts (identifiable by indicators like the User-Agent and script name previously mentioned) and identified 174 different vulnerabilities between May 25, 2025 and February 16, 2026.” reads the report published by Bitsight. “From these vulnerabilities we were able to map 148 CVEs, 15 with a public PoC but no CVE, and 11 where we were not able to find any public PoC. In our GitHub (linked at the end of this post) we provide a list with all the CVEs and the exploits used.”
Trend Micro first spotted the RondoDox activity on June 15, 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routers, a flaw first shown at Pwn2Own 2023 and still popular with botnets.
In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection.
In October, Trend Micro reported that the RondoDox botnet was exploiting 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.
In December, CloudSEK researchers warned that the RondoDox botnet is exploiting the critical React2Shell flaw (CVE-2025-55182) to drop malware and cryptominers on vulnerable Next.js servers.
The timeline shows attackers continuously rotating vulnerabilities, adding and dropping them rather than only expanding their list. Usage grew from low levels to a peak of 49 in one day (October 2025), then stabilized around 40 before sharply declining in early 2026, suggesting a shift toward fewer, more effective exploits. Nearly half of the 174 flaws were used only once, indicating rapid testing and selection. The researchers noted that the activity came in waves: broad testing phases followed by periods where selected vulnerabilities were used longer, with a shift in late 2025 toward keeping effective exploits active.
“The most radical change in our observations is in early January 2026, where we went from around 40 observed vulnerabilities down to only two.” continues the report. “One of these vulnerabilities is CVE-2023-46604, which is not very interesting in itself, but the other one is CVE-2025-55182, aka React2Shell, which was disclosed on December 3, 2025 and added by the threat actors on December 6, 2025.”
Analysis shows operators quickly adopt newly disclosed vulnerabilities, often within weeks, and in one case even before official publication, thanks to early PoC availability.
This suggests active monitoring of vulnerability research. However, execution is inconsistent: some exploits are incorrectly implemented or incomplete, reducing effectiveness. Despite strong motivation to stay updated, attackers appear to struggle with proper exploit deployment and may be shifting toward focusing on fewer, more recent vulnerabilities.
BitSight researchers debunk claims about RondoDox. The supposed “loader-as-a-service” panel is actually a log of POST requests, not attacker infrastructure. Similarly, alleged P2P C2 claims are unsupported: the cited IPs only hosted payloads and show no peer-to-peer functionality. Analysis confirms traditional C2 servers are used, highlighting the risk of misleading or unverified threat intelligence.
“The threat landscape keeps changing at a rapid pace, with new threats like RondoDox making themselves notable for how they operate.” concludes the report. “we tried to shed some light on this threat and how it has evolved from an infrastructure perspective, from the initial use of a large amount of vulnerabilities, to a change in methodology that focuses on critical vulnerabilities.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
