The RondoDox botnet has significantly intensified its operations, executing up to 15,000 daily exploit attempts against a library of 174 distinct vulnerabilities. Recent analysis shows the campaign has shifted toward a more strategic approach, targeting a wide range of devices from consumer routers to enterprise servers.
The RondoDox botnet is currently executing a highly aggressive and strategic campaign, reaching a peak of 15,000 daily exploitation attempts across 174 identified vulnerabilities. According to data from Bitsight, researchers tracked these attempts between May 2025 and February 2026, successfully mapping the activity to 148 known CVEs. The campaign also involves various exploits that lack official CVE designations or public proof-of-concept code, suggesting a sophisticated level of development and a broad scope of interest.
The botnet first drew significant attention in mid-2025 when it was observed targeting a specific flaw in TP-Link Archer routers. This particular vulnerability, which gained notoriety during a 2023 hacking competition, remains a favorite for botnet operators due to the large number of unpatched consumer devices still in use. This early activity established RondoDox as a persistent threat to network hardware, setting the stage for the massive expansion in its target list discovered in subsequent months.
As the campaign progressed through the summer of 2024 and 2025, security firms noted that RondoDox began employing advanced evasion techniques to avoid detection. The botnet started using custom software libraries and masking its communications by mimicking legitimate gaming or VPN traffic. This tactical shift allowed the malware to maintain a foothold on infected systems while researchers identified dozens of new flaws being exploited across a diverse array of hardware, including digital video recorders and closed-circuit television systems.
By the end of 2025, the botnet had evolved from focusing primarily on internet-of-things devices to targeting more robust infrastructure. Reports indicated that RondoDox was actively exploiting a critical vulnerability in React2Shell to compromise Next.js servers. Once these servers are breached, the botnet typically deploys additional malware or cryptominers, leveraging the high processing power of web servers for financial gain while expanding its overall reach across the global internet.
The current scale of RondoDox highlights a coordinated effort to weaponize both old and new vulnerabilities on a global scale. With activity spanning across more than 30 different device types and thousands of daily hits, the botnet represents a versatile threat to both individuals and organizations. Security professionals continue to monitor the group’s GitHub-hosted exploit lists and evolving tactics as they work to mitigate the impact of this increasingly focused and disciplined cyber threat.
Source: https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis