{ "name": "Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities", "slug": "tracking-rondodox-malware-exploiting-many-iot-vulnerabilities", "description": "A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable security measures, remove competing malware, and download architecture-specific second-stage binaries. The campaign has been active since July 2025, with consistent use of a handful of distribution points. The actor targets home routers and other IoT devices using multiple CVEs and generic command injection attempts.", "published": "2025-11-26T08:54:18+00:00", "created_at": "2025-11-26T08:54:18+00:00", "modified_at": "2025-12-21T17:05:50+00:00", "created_at_opencti": "2025-11-26T08:54:18+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-11-26", "CVE-2013-1599", "CVE-2014-3206", "CVE-2020-10987", "CVE-2020-9054", "CVE-2022-36553", "CVE-2022-40619", "CVE-2023-1389", "CVE-2023-23333", "CVE-2023-41011", "CVE-2024-10914", "CVE-2024-3721", "CVE-2025-34043", "CVE-2025-4008", "CVE-2025-9528", "botnet", "command injection", "iot", "mirai", "mirai variant", "multi-platform", "residential infrastructure", "rondodox", "shell script" ], "related_entities": { "observables": [ { "id": "", "name": "192.183.232.142" }, { "id": "", "name": "74.194.191.52" }, { "id": "", "name": "38.59.219.27" }, { "id": "", "name": "83.252.42.112" }, { "id": "", "name": "http://74.194.191.52/rondo.mips||curl" }, { "id": "", "name": "http://74.194.191.52/rondo.mips||busybox" }, { "id": "", "name": "http://74.194.191.52/rondo.mips" }, { "id": "", "name": "bang2012@tutanota.de" }, { "id": "", "name": "8634f53097f511dd1b7c253a0fbc4bc468e3ee38abd0490a39dd92edaee905de" }, { "id": "", "name": "a65e3438103d31ccb213083b2b6ef40b558580b4246251b558fc68e6a2a2ba92" }, { "id": "", "name": "2af74246497c671cc9976cd9919fdc4beaa459e9b4b30a42f561b45919da950b" }, { "id": "", "name": "470a74b888617299820acbe2daf03001eca7dc64a7002cd00beb163b3663187e" }, { "id": "", "name": "c789f239a9cf039752e3926ee3b4387b3f6a1f6657531277caebf90685b018a2" }, { "id": "", "name": "df9f756f355d1122e46ce12bb84553c89cdab71c6402a257b78bc768578f51c7" }, { "id": "", "name": "c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d" }, { "id": "", "name": "f11ede0c682e818357943a166239867a19b0c1d321e84213e28e21beb2c49c87" }, { "id": "", "name": "f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae" }, { "id": "", "name": "3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa" }, { "id": "", "name": "e683864f4016b24b164ebaa5d900963b730a1df45bcbf9fa947b644d673dbc21" }, { "id": "", "name": "69a17194dba061f56ec3a23debfa1d3fdee7dd92789af17038387b294093aa5d" }, { "id": "", "name": "17be568b6b2acb3b237c6dc81b3692976bb83eea76a7a26fd405805d34901016" }, { "id": "", "name": "3a4afea2c16905816b922229dc5d03311d58c470fa4580dcd9248302bcdfbdc4" }, { "id": "", "name": "81200976b8717c340041eee6ff051e1a87f8f73d86a9e17465b34be4c9488839" }, { "id": "", "name": "032d7b946259add6db097d3ee4375caffe2c7dcf7da81e72c32eaa24b3bde164" }, { "id": "", "name": "5cbe0f93c03b04b6100545448fee6db2a032a7cb13be45421d4ab377d1f88bf6" }, { "id": "", "name": "cf7a5027a0e562b7749c8025c0394bc3c3208b7b5ce070dcd15787450332efa8" } ], "malware": [ { "id": "5fdcf97f-0489-477b-a5df-c662e5fc5579", "name": "Mirai", "slug": "mirai" }, { "id": "legacy:malware:a7e1a2d6a1cfd5a9", "name": "RondoDox", "slug": "rondodox" } ], "intrusion_sets": [ { "id": "d492cc74-cb84-4bb2-9620-1ac81822dba6", "name": "RondoDox", "slug": "rondodox" } ], "attack_patterns": [ { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "e73b317e-ea92-49b4-a45d-051f7279aced", "name": "T1213" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd", "name": "T1498" }, { "id": "444de5e0-bd7f-4700-b700-26320057dd80", "name": "T1110" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb", "name": "T1070" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" }, { "id": "fcd96dc0-500e-4354-bd97-5c65718a9004", "name": "T1562" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "33962583-7396-47ef-913d-1db78d6685c9", "name": "T1569" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "1e1b6cb4-44b5-4e17-b267-bcb104acb1d4", "name": "T1546" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2020-9054" }, { "id": "", "name": "CVE-2025-31324" }, { "id": "", "name": "CVE-2022-40619" }, { "id": "", "name": "CVE-2023-23333" }, { "id": "", "name": "CVE-2025-4008" }, { "id": "", "name": "CVE-2023-1381" }, { "id": "", "name": "CVE-2020-10987" }, { "id": "", "name": "CVE-2013-1599" }, { "id": "", "name": "CVE-2022-42475" }, { "id": "", "name": "CVE-2017-9841" }, { "id": "", "name": "CVE-2019-9082" }, { "id": "", "name": "CVE-2023-41011" }, { "id": "", "name": "CVE-2025-34043" }, { "id": "", "name": "CVE-2024-4577" }, { "id": "", "name": "CVE-2020-8958" }, { "id": "", "name": "CVE-2022-36553" }, { "id": "", "name": "CVE-2025-9528" }, { "id": "", "name": "CVE-2014-3206" }, { "id": "", "name": "CVE-2023-1389" }, { "id": "", "name": "CVE-2024-10914" }, { "id": "", "name": "CVE-2022-22947" }, { "id": "", "name": "CVE-2022-24847" }, { "id": "", "name": "CVE-2024-3721" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/6926ce4acf381a3fb07c9efb", "https://www.f5.com/labs/articles/tracking-rondodox-malware-exploiting-many-iot-vulnerabilities" ] }