Cybersecurity researchers have uncovered an ongoing wave of RondoDox botnet campaigns that now exploit more than 50 security vulnerabilities affecting over 30 technology vendors.
Trend Micro described this campaign as an “exploit shotgun” strategy, where attackers target a broad spectrum of internet-exposed infrastructure including routers, DVRs, NVRs, CCTV systems, web servers, and other network-connected devices.
Expanding Exploitation Activity
According to Trend Micro, a RondoDox intrusion attempt was detected on June 15, 2025, involving the exploitation of CVE-2023-1389, a known TP-Link Archer router vulnerability. This flaw has been under active attack since its public disclosure in late 2022.
The botnet was first analyzed by Fortinet FortiGuard Labs in July 2025, which reported that RondoDox targeted TBK digital video recorders (DVRs) and Four-Faith routers to conscript them into a DDoS network. These infected devices were used to conduct distributed denial-of-service attacks via HTTP, UDP, and TCP protocols.
Loader-as-a-Service Infrastructure
Trend Micro noted that the botnet has evolved by adopting a loader-as-a-service (LaaS) framework, which bundles RondoDox with Mirai and Morte payloads. This allows threat actors to distribute multiple malware families simultaneously, making detection and mitigation more difficult.
The new RondoDox campaign includes 56 distinct vulnerabilities, with 18 lacking official CVE identifiers. Vendors affected include D-Link, Linksys, NETGEAR, Cisco, TBK, QNAP, Tenda, Apache, TOTOLINK, and Zyxel, among others.
Trend Micro highlighted that this development marks a transition from isolated device exploitation toward a multivector loader operation, signaling a significant shift in automation and attack sophistication.
Large-Scale Botnet Distribution
In a related discovery, CloudSEK reported a large-scale loader-as-a-service botnet distributing RondoDox, Mirai, and Morte malware through SOHO routers, IoT devices, and enterprise applications. Attackers exploit weak passwords, outdated CVEs, and unsanitized inputs to infiltrate systems.
Meanwhile, security journalist Brian Krebs noted that another DDoS botnet, AISURU, is drawing most of its attack power from compromised IoT devices hosted on U.S. internet providers such as AT&T, Comcast, and Verizon. One of the alleged operators, known as Forky, is believed to reside in São Paulo, Brazil, and is linked to a DDoS mitigation service called Botshield.
Global DDoS Operations
AISURU has emerged as one of the largest and most destructive botnets ever recorded, commanding over 300,000 compromised devices worldwide. Built on Mirai’s framework, it has been linked to several high-volume DDoS attacks.
Separately, GreyNoise identified a coordinated botnet campaign involving over 100,000 unique IPs from 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. The operation reportedly began on October 8, 2025, with significant traffic originating from Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa.
GreyNoise explained that the attackers are using RD Web Access timing attacks and RDP web client login enumeration, with many IPs sharing identical TCP fingerprints, suggesting centralized botnet control.
