are distributing malware campaigns Rondodox The botnet has expanded its targeting focus to exploit more than 50 vulnerabilities across more than 30 vendors.
According to Trend Micro, the activity has been described as akin to an “exploit shotgun” approach, encompassing a wide range of Internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices.
The cybersecurity company said it detected the Rondodox intrusion attempt on June 15, 2025, when attackers took advantage of CVE-2023-1389, a security flaw in TP-Link Archer routers that has been subject to repeated active exploitation since it first surfaced in late 2022.
Rondodox was first documented by Fortinet FortiGuard Labs in July 2025, detailing attacks carried out on TBK digital video recorders (DVRs) and four-faith routers to execute distributed denial-of-service (DDoS) attacks against specific targets using the HTTP, UDP, and TCP protocols. To be included in a botnet.
Trend Micro said, “Recently, Rondodox has broadened its distribution using a ‘Loader-as-a-Service’ infrastructure, which co-packages Rondodox with Mirai/Morte payloads – making detection and remediation even more urgent.”
Rondodox’s expanded arsenal of exploits includes about five dozen security flaws, 18 of which do not have a CVE identifier assigned. 56 vulnerabilities from various vendors such as D-Link, TVT, Lilin, FiberHome, Linksys, ByteValue, ASMX, Brickcom, IQrouter, Recon, NeXT, Netgear, Apache, TBK, Totolink, MeteorBridge, Digiserver, Edimax, QNAP, GNU, Dasan, Tenda, LB-Link, Avitech, Zyxel, Hitech Inter, Belkin, Billion and Cisco.
“The latest Rondodox botnet campaign represents a significant evolution in automated network exploitation,” the company said. “This is a clear indication that the campaign is evolving beyond single-device opportunism into multivector loader operations.”
Late last month, CloudSEEK disclosed details of a massive Loader-as-a-Service botnet that weaponized weak credentials, unsanitized input, and legacy CVEs to deliver Rondodox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps.
The development comes as security journalist Brian Krebs notes that the DDoS botnet known as AISURU is “drawing most of its firepower” from compromised IoT devices hosted on US internet providers like AT&T, Comcast and Verizon. One of the botnet’s operators, Forky, is alleged to be based in Sao Paulo, Brazil, and is also linked to a DDoS mitigation service called BotShield.
In recent months, AISURU has emerged as one of the largest and most disruptive botnets, responsible for some of the record-setting DDoS attacks ever seen. Built on the foundation of Mirai, the botnet controls an estimated 300,000 compromised hosts worldwide.
According to Grenois, the findings also follow the discovery of a coordinated botnet operation involving more than 100,000 unique IP addresses from at least 100 countries targeting Remote Desktop Protocol (RDP) services in the US.
The activity is said to have begun on October 8, 2025, with the majority of traffic coming from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and others.
“The campaign employs two specific attack vectors – RD web access timing attacks and RDP web client login enumeration – with most participating IPs sharing a similar TCP fingerprint, indicating centralized control,” the threat intelligence firm said.
