RondoDox
Essential information
- Confidence
- 100/100
- Published
- 21/12/2025 18:21
- Modified
- 16/03/2026 10:51
- Updated at
- 16/03/2026 10:51
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 42 attack patterns (mitre), 4 malware, 2 sectors, 1 countries, 100 indicators, 66 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT
-
5 MITREs 7 Observables 1 APT
-
23 CVEs 20 MITREs 2 Malwares 26 Observables 1 APT
-
35 CVEs 1 Malware 20 Observables 1 APT
-
15 MITREs 3 Malwares 71 Observables 1 APT
Attack patterns (MITRE) (42)
-
T1595 usesActive Scanning MITRE
-
T1213 usesData from Information Repositories MITRE
-
T1210 usesExploitation of Remote Services MITRE
-
T1611 usesEscape to Host MITRE
-
T1569 usesSystem Services MITRE
-
T1546 usesEvent Triggered Execution MITRE
-
T1106 usesNative API MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1133 usesExternal Remote Services MITRE
-
T1078 usesValid Accounts MITRE
-
T1027 usesObfuscated Files or Information MITRE
-
T1496 usesResource Hijacking MITRE
Malware (4)
-
RondoDox usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XMRig usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Morte usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (2)
-
Telecommunications targets
-
Technology targets
Countries (1)
-
New Zealand targets
Indicators (100)
-
stix 100/100· Valid until 22/11/2026 · Source: AlienVault
-
stix 100/100· Valid until 22/09/2026 · Source: AlienVault
-
http://83.252.42.112/rondo.arc700indicatesstix 100/100 Revoked· Valid until 26/11/2025 · Source: AlienVault -
http://83.252.42.112/rondo.armv6lindicatesstix 100/100 Revoked· Valid until 26/11/2025 · Source: AlienVault -
stix 100/100· Valid until 22/11/2026 · Source: AlienVault
-
stix 100/100· Valid until 22/11/2026 · Source: AlienVault
-
http://74.194.191.52/rondo.fbsdpowerpcindicatesstix 100/100 Revoked· Valid until 26/11/2025 · Source: AlienVault -
http://74.194.191.52/rondo.powerpc-440fpindicatesstix 100/100 Revoked· Valid until 09/12/2025 · Source: AlienVault -
http://74.194.191.52/rondo.sparcindicatesstix 100/100 Revoked· Valid until 09/12/2025 · Source: AlienVault
Vulnerabilities (CVE) (66)
Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. …
- Attack vector
- NETWORK
- Published
- 19/09/2025
- Modified
- 16/03/2026
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco …
- Attack vector
- NETWORK
- Published
- 28/02/2019
- Modified
- 21/12/2025
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 13/04/2024
- Modified
- 21/12/2025
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
- Attack vector
- NETWORK
- Published
- 06/02/2023
- Modified
- 21/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands …
- Attack vector
- Network
- Published
- 10/01/2025
- Modified
- 21/12/2025
NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/12/2016
- Modified
- 22/04/2026
A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. …
- Attack vector
- NETWORK
- Published
- 03/06/2025
- Modified
- 21/12/2025
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …
- Attack vector
- NETWORK
- Published
- 06/11/2024
- Modified
- 21/12/2025
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
- Published
- 31/03/2022
- Modified
- 20/12/2025
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …
- Published
- 03/11/2021
- Modified
- 20/12/2025