{ "name": "RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities", "slug": "rondodox-botnet-from-zero-to-174-exploited-vulnerabilities", "description": "The RondoDox botnet has emerged as a significant threat, exploiting 174 different vulnerabilities since May 2025. It primarily targets IoT devices and internet-exposed services for DoS attacks. The botnet's infrastructure includes exploiting and hosting components, with evidence suggesting the use of compromised residential IPs. RondoDox's operators have shown a rapid adoption of newly disclosed vulnerabilities, sometimes exploiting them within days of publication. The botnet's evolution includes a shift from a shotgun approach using numerous exploits to a more focused strategy targeting recent, critical vulnerabilities. The malware shares similarities with Mirai but focuses solely on DoS attacks. This threat highlights the importance of exposure management in cybersecurity.", "published": "2026-03-11T14:49:33+00:00", "created_at": "2026-03-11T14:49:33+00:00", "modified_at": "2026-03-16T08:52:23+00:00", "created_at_opencti": "2026-03-11T14:49:33+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-03-11", "botnet", "ddos", "iot", "rondodox", "vulnerability exploitation", "xmrig" ], "related_entities": { "observables": [ { "id": "", "name": "45.8.145.203" }, { "id": "", "name": "192.253.248.5" }, { "id": "", "name": "192.183.232.142" }, { "id": "", "name": "45.135.194.32" }, { "id": "", "name": "45.135.194.34" }, { "id": "", "name": "192.159.99.95" }, { "id": "", "name": "45.135.194.11" }, { "id": "", "name": "99.241.94.234" }, { "id": "", "name": "78.153.149.90" }, { "id": "", "name": "45.125.66.100" }, { "id": "", "name": "23.228.188.126" }, { "id": "", "name": "45.153.34.156" }, { "id": "", "name": "74.194.191.52" }, { "id": "", "name": "41.231.37.153" }, { "id": "", "name": "154.91.254.95" }, { "id": "", "name": "87.121.84.31" }, { "id": "", "name": "70.184.13.47" }, { "id": "", "name": "14.103.145.202" }, { "id": "", "name": "38.59.219.27" }, { "id": "", "name": "169.255.72.169" }, { "id": "", "name": "37.32.15.8" }, { "id": "", "name": "87.121.84.75" }, { "id": "", "name": "87.121.84.132" }, { "id": "", "name": "14.103.145.211" }, { "id": "", "name": "83.252.42.112" }, { "id": "", "name": "45.156.87.165" }, { "id": "", "name": "83.150.218.93" }, { "id": "", "name": "ce6375a4077edaf2f83847e3cefd8eb9535da249806d3214b22a0d50891c7b4c" }, { "id": "", "name": "691e4ec280aaff33270f33a9bb48a3fc38e2bd91c7359e687e3f0bd682f20b54" } ], "malware": [ { "id": "legacy:malware:a7e1a2d6a1cfd5a9", "name": "RondoDox", "slug": "rondodox" }, { "id": "legacy:malware:83adebc6ef4eb478", "name": "XMRig", "slug": "xmrig" } ], "intrusion_sets": [ { "id": "d492cc74-cb84-4bb2-9620-1ac81822dba6", "name": "RondoDox", "slug": "rondodox" } ], "attack_patterns": [ { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "6a146066-5a78-493c-a26a-133b62c1149e", "name": "T1588.002" }, { "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd", "name": "T1498" }, { "id": "008c8199-2c07-4b4e-9ca3-914a56d05823", "name": "T1569.001" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "6d618903-d9f6-4747-aec2-7630f43c1908", "name": "T1496" }, { "id": "a2ba5594-6293-4868-928c-ab4b31927a02", "name": "T1572" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "29f7ff93-033b-4f8d-8691-5bcaa438c80f", "name": "T1592" }, { "id": "d570881a-1f73-41ca-ad6c-fc29256c76f9", "name": "T1595" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2025-37164" }, { "id": "", "name": "CVE-2025-47812" }, { "id": "", "name": "CVE-2025-24016" }, { "id": "", "name": "CVE-2025-52089" }, { "id": "", "name": "CVE-2025-32756" }, { "id": "", "name": "CVE-2025-48827" }, { "id": "", "name": "CVE-2025-57296" }, { "id": "", "name": "CVE-2025-20281" }, { "id": "", "name": "CVE-2023-46604" }, { "id": "", "name": "CVE-2025-55182" }, { "id": "", "name": "CVE-2025-62593" }, { "id": "", "name": "CVE-2025-24893" } ], "others": [ { "id": "", "name": "x1337.cc" } ] }, "external_refs": [ "https://www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis", "https://otx.alienvault.com/pulse/69b18f0dc8f031c3594cfcc9" ] }