RondoDox
Essential information
- Confidence
- 100/100
- Published
- 21/12/2025 18:21
- Modified
- 16/03/2026 10:51
- Updated at
- 16/03/2026 10:51
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 42 attack patterns (mitre), 4 malware, 2 sectors, 1 countries, 100 indicators, 66 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
12 CVEs 16 MITREs 2 Malwares 29 Observables 1 APT
-
5 MITREs 7 Observables 1 APT
-
23 CVEs 20 MITREs 2 Malwares 26 Observables 1 APT
-
35 CVEs 1 Malware 20 Observables 1 APT
-
15 MITREs 3 Malwares 71 Observables 1 APT
Attack patterns (MITRE) (42)
-
T1595 usesActive Scanning MITRE
-
T1213 usesData from Information Repositories MITRE
-
T1210 usesExploitation of Remote Services MITRE
-
T1611 usesEscape to Host MITRE
-
T1569 usesSystem Services MITRE
-
T1546 usesEvent Triggered Execution MITRE
-
T1106 usesNative API MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1133 usesExternal Remote Services MITRE
-
T1078 usesValid Accounts MITRE
-
T1027 usesObfuscated Files or Information MITRE
-
T1496 usesResource Hijacking MITRE
Malware (4)
-
RondoDox usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XMRig usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Morte usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (2)
-
Telecommunications targets
-
Technology targets
Countries (1)
-
New Zealand targets
Indicators (100)
-
stix 100/100· Valid until 22/11/2026 · Source: AlienVault
-
stix 100/100· Valid until 22/09/2026 · Source: AlienVault
-
http://83.252.42.112/rondo.arc700indicatesstix 100/100 Revoked· Valid until 26/11/2025 · Source: AlienVault -
http://83.252.42.112/rondo.armv6lindicatesstix 100/100 Revoked· Valid until 26/11/2025 · Source: AlienVault -
stix 100/100· Valid until 22/11/2026 · Source: AlienVault
-
stix 100/100· Valid until 22/11/2026 · Source: AlienVault
-
http://74.194.191.52/rondo.fbsdpowerpcindicatesstix 100/100 Revoked· Valid until 26/11/2025 · Source: AlienVault -
http://74.194.191.52/rondo.powerpc-440fpindicatesstix 100/100 Revoked· Valid until 09/12/2025 · Source: AlienVault -
http://74.194.191.52/rondo.sparcindicatesstix 100/100 Revoked· Valid until 09/12/2025 · Source: AlienVault
Vulnerabilities (CVE) (66)
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/10/2017
- Modified
- 22/04/2026
Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via …
- Attack vector
- NETWORK
- Published
- 14/09/2023
- Modified
- 21/12/2025
Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code …
- Attack vector
- Network
- Published
- 14/05/2025
- Modified
- 14/01/2026
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …
- Attack vector
- Network
- Published
- 03/11/2021
- Modified
- 18/02/2026
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to …
- Attack vector
- Network
- Published
- 10/06/2025
- Modified
- 21/12/2025
D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, …
- Attack vector
- ADJACENT_NETWORK
- Published
- 12/02/2021
- Modified
- 21/12/2025
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
- Attack vector
- NETWORK
- Published
- 30/08/2022
- Modified
- 21/12/2025
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 …
- Attack vector
- NETWORK
- Published
- 27/05/2025
- Modified
- 16/03/2026
D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
- Attack vector
- Adjacent
- Complexity
- LOW
- Published
- 23/02/2015
- Modified
- 22/04/2026
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 …
- Attack vector
- NETWORK
- Published
- 27/12/2024
- Modified
- 21/12/2025
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …
- Attack vector
- NETWORK
- Published
- 14/04/2022
- Modified
- 21/12/2025