RondoDox

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 21/12/2025 18:21 · Modified 16/03/2026 10:51 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 18:21
Modified: 16/03/2026 10:51
Updated at: 16/03/2026 10:51
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 5 reports, 42 attack patterns (mitre), 4 malware, 2 sectors, 1 countries, 100 indicators, 66 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (5)

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT
RondoDoX Botnet Weaponizes React2Shell

5 MITREs 7 Observables 1 APT
Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

23 CVEs 20 MITREs 2 Malwares 26 Observables 1 APT
RondoDox v2: Evolution of RondoDox Botnet with 650% …

35 CVEs 1 Malware 20 Observables 1 APT
From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits

15 MITREs 3 Malwares 71 Observables 1 APT

Attack patterns (MITRE) (42)

T1498 uses

Network Denial of Service MITRE
T1021 uses

Remote Services MITRE
T1571 uses

Non-Standard Port MITRE
T1569.001 uses

Launchctl MITRE
T1574 uses

Hijack Execution Flow MITRE
T1070 uses

Indicator Removal MITRE
T1021.001 uses

Remote Desktop Protocol MITRE
T1110 uses

Brute Force MITRE
T1068 uses

Exploitation for Privilege Escalation MITRE
T1562 uses

Impair Defenses MITRE
T1102 uses

Web Service MITRE
T1105 uses

Ingress Tool Transfer MITRE

← Previous

Page / 4

1–12 of 42

RondoDox uses

Family
XMRig uses

Family
Mirai uses

Family
Morte uses

Family

Sectors (2)

Telecommunications targets
Technology targets

Countries (1)

New Zealand targets

Indicators (100)

45.125.66.100 indicates

stix 100/100 Revoked

· Valid until 04/04/2026 · Source: AlienVault
f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae indicates

stix 100/100

· Valid until 22/11/2026 · Source: AlienVault
bfde10dfc3aa82e605021372817fa24fda7e00f51726097d65b57d531640c05a indicates

stix 100/100

· Valid until 22/09/2026 · Source: AlienVault
http://83.252.42.112/rondo.arc700 indicates

stix 100/100 Revoked

· Valid until 26/11/2025 · Source: AlienVault
http://83.252.42.112/rondo.armv6l indicates

stix 100/100 Revoked

· Valid until 26/11/2025 · Source: AlienVault
3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa indicates

stix 100/100

· Valid until 22/11/2026 · Source: AlienVault
c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d indicates

stix 100/100

· Valid until 22/11/2026 · Source: AlienVault
192.253.248.5 indicates

stix 100/100 Revoked

· Valid until 04/04/2026 · Source: AlienVault
http://74.194.191.52/rondo.fbsdpowerpc indicates

stix 100/100 Revoked

· Valid until 26/11/2025 · Source: AlienVault
41.231.37.153 indicates

stix 100/100 Revoked

· Valid until 21/02/2026 · Source: AlienVault
http://74.194.191.52/rondo.powerpc-440fp indicates

stix 100/100 Revoked

· Valid until 09/12/2025 · Source: AlienVault
http://74.194.191.52/rondo.sparc indicates

stix 100/100 Revoked

· Valid until 09/12/2025 · Source: AlienVault

← Previous

Page / 9

1–12 of 100

Vulnerabilities (CVE) (66)

CVE-2014-1635 targets

10.0 Critical

Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via …

Published: 12/11/2014
Modified: 07/05/2026

CWE-119

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2022-22947 KEV targets

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published: 16/05/2022
Modified: 20/12/2025

CVE-2017-18369 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2023-1381 targets

8.8 High

The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading …

Attack vector: NETWORK
Published: 10/04/2023
Modified: 21/12/2025

CVE-2025-34037 targets

10.0 Critical

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on …

Published: 24/06/2025
Modified: 20/03/2026

CWE-78 Received

CVE-2025-62593 targets

9.4 Critical

Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via …

Published: 16/03/2026
Modified: 16/03/2026

Awaiting Analysis

CVE-2023-1389 KEV targets

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2023-25280 KEV targets

9.8 Critical

D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a …

Attack vector: Network
Published: 30/09/2024
Modified: 21/12/2025

CVE-2020-8958 targets

7.2 High

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via …

Attack vector: NETWORK
Published: 15/07/2020
Modified: 21/12/2025

CVE-2024-7029 targets

8.8 High

Commands can be injected over the network and executed without authentication.

Attack vector: NETWORK
Published: 02/08/2024
Modified: 21/12/2025

Received

CVE-2025-34043 targets

10.0 Critical

A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi …

Published: 20/12/2025
Modified: 21/12/2025

Awaiting Analysis

← Previous

Page / 6

1–12 of 66

Contact About Legal notice Privacy policy Terms of use

RondoDox

Essential information

Description

Marking (TLP)

Related entities

Reports (5)

Attack patterns (MITRE) (42)

Malware (4)

Sectors (2)

Countries (1)

Indicators (100)

Vulnerabilities (CVE) (66)