Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack reports

Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

· Published 26/11/2025 09:54 · Modified 21/12/2025 18:05

Share: LinkedIn Facebook Mastodon X

Export JSON

Essential information

Published: 26/11/2025 09:54
Modified: 21/12/2025 18:05
Tags: 2025-11-26 CVE-2013-1599 CVE-2014-3206 CVE-2020-10987 CVE-2020-9054 CVE-2022-36553 CVE-2022-40619 CVE-2023-1389 CVE-2023-23333 CVE-2023-41011 CVE-2024-10914 CVE-2024-3721 CVE-2025-34043 CVE-2025-4008 CVE-2025-9528 botnet command injection iot mirai mirai variant multi-platform residential infrastructure rondodox shell script
Related entities: 23 vulnerabilities (cve), 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware

Description

A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable security measures, remove competing malware, and download architecture-specific second-stage binaries. The campaign has been active since July 2025, with consistent use of a handful of distribution points. The actor targets home routers and other IoT devices using multiple CVEs and generic command injection attempts.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (23)

CVE-2020-9054 KEV

Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary …

Published: 25/03/2022
Modified: 21/12/2025

CVE-2025-31324 KEV

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2022-40619

7.7 High

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of …

Attack vector: NETWORK
Published: 20/12/2025
Modified: 09/03/2026

Awaiting Analysis

CVE-2023-23333

9.8 Critical

There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.

Attack vector: NETWORK
Published: 06/02/2023
Modified: 21/12/2025

CVE-2025-4008 KEV

9.4 Critical

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application …

Attack vector: Adjacent
Published: 02/10/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-1381

8.8 High

The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading …

Attack vector: NETWORK
Published: 10/04/2023
Modified: 21/12/2025

CVE-2020-10987 KEV

Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2013-1599

9.8 Critical

A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …

Attack vector: NETWORK
Published: 28/01/2020
Modified: 21/12/2025

CVE-2022-42475 KEV

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2017-9841 KEV

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2019-9082 KEV

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2023-41011

9.8 Critical

Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via …

Attack vector: NETWORK
Published: 14/09/2023
Modified: 21/12/2025

CVE-2025-34043

10.0 Critical

A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi …

Published: 20/12/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-4577 KEV

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2020-8958

7.2 High

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via …

Attack vector: NETWORK
Published: 15/07/2020
Modified: 21/12/2025

CVE-2022-36553

9.8 Critical

Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.

Attack vector: NETWORK
Published: 30/08/2022
Modified: 21/12/2025

CVE-2025-9528

5.1 Medium

A vulnerability was determined in Linksys E1700 1.0.0.4.003. This vulnerability affects the function systemCommand of the file /goform/systemCommand. Executing manipulation of the …

Attack vector: Network
Complexity: Low
Published: 27/08/2025
Modified: 29/04/2026

CWE-77 Received

CVE-2014-3206

Published: 20/12/2025
Modified: 21/12/2025

CVE-2023-1389 KEV

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2024-10914

8.1 High

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …

Attack vector: NETWORK
Published: 06/11/2024
Modified: 21/12/2025

Modified

CVE-2022-22947 KEV

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published: 16/05/2022
Modified: 20/12/2025

CVE-2022-24847

7.2 High

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …

Attack vector: NETWORK
Published: 14/04/2022
Modified: 21/12/2025

CVE-2024-3721

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

Observables (26)

192.183.232.142
74.194.191.52
38.59.219.27
83.252.42.112
http://74.194.191.52/rondo.mips||curl
http://74.194.191.52/rondo.mips||busybox
http://74.194.191.52/rondo.mips
[email protected]
8634f53097f511dd1b7c253a0fbc4bc468e3ee38abd0490a39dd92edaee905de
a65e3438103d31ccb213083b2b6ef40b558580b4246251b558fc68e6a2a2ba92
2af74246497c671cc9976cd9919fdc4beaa459e9b4b30a42f561b45919da950b
470a74b888617299820acbe2daf03001eca7dc64a7002cd00beb163b3663187e
c789f239a9cf039752e3926ee3b4387b3f6a1f6657531277caebf90685b018a2
df9f756f355d1122e46ce12bb84553c89cdab71c6402a257b78bc768578f51c7
c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d
f11ede0c682e818357943a166239867a19b0c1d321e84213e28e21beb2c49c87
f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae
3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa
e683864f4016b24b164ebaa5d900963b730a1df45bcbf9fa947b644d673dbc21
69a17194dba061f56ec3a23debfa1d3fdee7dd92789af17038387b294093aa5d
17be568b6b2acb3b237c6dc81b3692976bb83eea76a7a26fd405805d34901016
3a4afea2c16905816b922229dc5d03311d58c470fa4580dcd9248302bcdfbdc4
81200976b8717c340041eee6ff051e1a87f8f73d86a9e17465b34be4c9488839
032d7b946259add6db097d3ee4375caffe2c7dcf7da81e72c32eaa24b3bde164
5cbe0f93c03b04b6100545448fee6db2a032a7cb13be45421d4ab377d1f88bf6
cf7a5027a0e562b7749c8025c0394bc3c3208b7b5ce070dcd15787450332efa8

Intrusion sets (APT) (1)

RondoDox

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:21 · Modified 16/03/2026 10:51

Techniques (MITRE) (20)

T1057

Process Discovery
T1213

Data from Information Repositories
T1078

Valid Accounts
T1498

Network Denial of Service
T1110

Brute Force
T1036

Masquerading
T1070

Indicator Removal
T1068

Exploitation for Privilege Escalation
T1562

Impair Defenses
T1027

Obfuscated Files or Information
T1569

System Services
T1190

Exploit Public-Facing Application
T1105

Ingress Tool Transfer
T1546

Event Triggered Execution
T1059

Command and Scripting Interpreter
T1133

External Remote Services
T1102

Web Service
T1021

Remote Services
T1082

System Information Discovery
T1041

Exfiltration Over C2 Channel

Malware (2)

Mirai

Family

Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
RondoDox

Family

Published 21/05/2026 23:03 · Modified 21/05/2026 23:03

External references

https://otx.alienvault.com/pulse/6926ce4acf381a3fb07c9efb
https://www.f5.com/labs/articles/tracking-rondodox-malware-exploiting-many-iot-vulnerabilities

Contact About Legal notice Privacy policy Terms of use