A newly identified botnet, dubbed RondoDox, has rapidly emerged as a significant cybersecurity threat, distinguished by its extensive arsenal of 174 exploits and strategic utilization of residential IP infrastructure. First observed in May 2025, RondoDox has escalated its operations, capable of launching up to 15,000 exploitation attempts daily, demonstrating considerable technical prowess and strategic foresight from its operators.
This sophisticated botnet is rooted in the publicly available code of Mirai, a notorious open-source botnet. However, unlike Mirai, which was designed for both scanning and denial-of-service (DoS) attacks, RondoDox focuses exclusively on DoS attacks. Its operators have significantly expanded its capabilities, amassing a comprehensive exploit toolkit that targets a vast array of internet-connected devices across 18 distinct system architectures, including x86_64, ARM variants, MIPS, and PowerPC.
RondoDox Botnet Leverages Extensive Exploit Collection
Security researchers at Bitsight first alerted the cybersecurity community to RondoDox after detecting a substantial surge in traffic within their honeypot systems. Their investigation revealed that out of the 174 exploits employed by the botnet, 148 are linked to publicly disclosed Common Vulnerabilities and Exposures (CVEs). An additional 15 exploits are associated with public proof-of-concept code but lack a formal CVE designation, while 11 exploits have no publicly available proof-of-concept code at all.
Evidence gathered by researchers suggests that the RondoDox operators are diligently monitoring vulnerability disclosures. Several exploits have been deployed within days of becoming public knowledge. In one notable instance, a vulnerability identified as CVE-2025-62593 was actively exploited before its official CVE designation was published.
Initially, the botnet’s operators adopted a broad approach, simultaneously deploying multiple exploits against a single target in an attempt to find a successful entry point. This “shotgun approach” saw the number of unique vulnerabilities utilized in a single day peak at 49 on October 19, 2025. However, by January 2026, this number had decreased to just two active vulnerabilities, indicating a shift towards a more focused strategy targeting high-value systems rather than a widespread, indiscriminate attack pattern.
The rapid integration of newly revealed flaws, such as CVE-2025-55182 (React2Shell), which was added to the botnet’s exploit list just three days after its public disclosure on December 3, 2025, highlights the proactive and well-resourced nature of this threat. This speed, coupled with the botnet’s scale and persistence, underscores the seriousness with which security teams must treat RondoDox.
Residential IP Infrastructure: A Deceptive Hosting Layer
A particularly concerning aspect of the RondoDox operation is its sophisticated use of compromised residential IP addresses to host its malware payloads. Bitsight tracked 32 IP addresses throughout the observation period, with 16 dedicated to exploitation activities and 16 designated for hosting malicious content.
While the IPs used for exploitation were traced to hosting providers that accept cryptocurrency for payments, the hosting IPs predominantly belonged to regular internet service providers in countries including the United States, Canada, Sweden, China, and Tunisia. Researchers utilized the Groma dataset to identify that four of the eleven identified residential hosting IPs were exposing potentially vulnerable services. These included a UniFi Protect interface, two Control4 smart home systems, and a TCL Android TV web server, strongly suggesting that these compromised home devices are unknowingly serving as the botnet’s infrastructure.
To evade detection, the hosting servers have implemented a blacklisting mechanism. Upon identifying an analyst, they return a decoy page featuring a background video and a non-functional button, designed to mislead and block further investigation.
The ongoing evolution of botnets like RondoDox, which leverage widespread vulnerabilities and sophisticated infrastructure, necessitates continuous vigilance from cybersecurity professionals. Organizations are advised to maintain robust patching schedules for internet-facing devices, disable any unnecessary remote access services, and diligently monitor network traffic for suspicious connections.
The indicators of compromise published by Bitsight on their GitHub repository can provide valuable intelligence for threat hunting and defense. The persistent development and adaptation of such botnets indicate that ongoing research and proactive security measures will be crucial in mitigating their impact.