Key Findings

* RondoDox botnet targeting 174 different vulnerabilities between May 2025 and February 2026

* Daily exploit attempts peaked at 49, stabilized around 40, then sharply declined in early 2026

* Nearly half of exploited flaws used only once, indicating rapid testing and selection

* Quickly adopts newly disclosed vulnerabilities, sometimes within weeks

* Targets diverse device types including routers, DVRs, NVRs, CCTV systems, and web servers

* Demonstrates inconsistent exploit implementation and potential strategic shifts

Background

The RondoDox botnet emerged in 2024 as a sophisticated cyber threat characterized by its adaptive exploitation strategy. First detected by Trend Micro in June 2025 targeting TP-Link Archer AX21 routers, the botnet quickly evolved to exploit a wide range of vulnerabilities across multiple device types and technologies.

Vulnerability Targeting Strategy

The botnet's approach to vulnerability exploitation is notably dynamic. Researchers observed waves of broad testing followed by focused periods of exploitation, with attackers rapidly cycling through potential attack vectors. From May 2025 to February 2026, the botnet mapped 148 CVEs, 15 vulnerabilities with public proof-of-concept, and 11 without publicly available exploit details.

Technical Characteristics

RondoDox employs custom libraries and traffic mimicry techniques to evade detection, often disguising its communication as gaming or VPN traffic. The botnet demonstrates a capability to quickly integrate newly disclosed vulnerabilities, sometimes adopting them within days of public disclosure.

Operational Patterns

The botnet's activity shows interesting fluctuations, with exploit attempts peaking at 49 in a single day during October 2025, before stabilizing and then declining. By early 2026, the operators appeared to concentrate on fewer, more critical vulnerabilities, suggesting a potential strategic refinement of their approach.

Detection and Verification Challenges

Researchers from BitSight noted significant challenges in definitively characterizing the botnet's infrastructure. Claims about a "loader-as-a-service" panel were debunked, with what was presented as attacker infrastructure actually being a log of POST requests.

Sources

• https://securityaffairs.com/189569/malware/rondodox-botnet-expands-arsenal-targeting-174-flaws-and-hits-15000-daily-exploit-attempts.html

• https://x.com/shah_sheikh/status/2033932005973369264

• https://x.com/hackplayers/status/2033933901219893376

• https://x.com/shah_sheikh/status/2033931953607741801