A newly tracked botnet called RondoDox has quietly built itself into one of the more concerning threats observed in recent months, combining an unusually large collection of exploits with a calculated use of residential internet infrastructure.
First detected in May 2025, the botnet began generating high volumes of traffic in security honeypots and has since grown into a full-scale operation capable of launching up to 15,000 exploitation attempts in a single day.
Its operators have demonstrated both technical ambition and operational patience, carefully managing the infrastructure that supports their attacks.
RondoDox is built on the same foundation as Mirai, the well-known open-source botnet whose code has been repurposed by many threat actors over the years.
Unlike Mirai, which was designed to both scan for new targets and execute denial-of-service attacks, RondoDox is focused entirely on DoS attacks.
The operators have expanded significantly on this base, building a toolkit that now covers 174 different vulnerabilities, a figure that is uncommon among threats of this kind.
It also supports 18 system architectures including x86_64, ARM variants, MIPS, PowerPC, and others, allowing it to target a broad range of internet-connected hardware.
Bitsight analysts identified the botnet after noticing the high volume of traffic it was generating in their honeypot systems.
Number of Events and Moving Average for RondoDox Exploits (Source – Bitsight)
Their investigation found that of the 174 documented exploits, 148 were tied to known CVEs, 15 had public proof-of-concept code but no formal CVE, and 11 had no publicly available proof-of-concept at all.
Researchers also observed the operators actively tracking vulnerability disclosures, with several exploits being deployed within days of becoming public knowledge — in one case, CVE-2025-62593 was being exploited before its CVE was even officially published.
Early in its operation, the botnet’s operators took what researchers call a shotgun approach, sending multiple exploits at the same target at once in the hope that one would work.
Example of the Shotgun Approach Used by RondoDox (Source – Bitsight)
The number of distinct vulnerabilities used in a single day peaked at 49 on October 19, 2025.
Unique Daily Vulnerabilities (Source – Bitsight)
By January 2026, that number dropped to just two active vulnerabilities, a sign that the operators had shifted toward focusing on high-value targets rather than casting a wide net.
CVE-2025-55182, known as React2Shell and disclosed on December 3, 2025, was added to the botnet’s exploit list just three days later, on December 6.
This rapid adoption of newly disclosed flaws, combined with the scale and persistence of the operation, signals a well-resourced and motivated threat that security teams need to take seriously.
Residential IP Infrastructure: A Deceptive Hosting Layer
One of the most striking details uncovered in the research is how RondoDox uses compromised residential IP addresses to host its malware payloads.
Bitsight tracked 32 IP addresses across the full observation period — 16 dedicated to exploitation and 16 to hosting.
Timeline of IP usage (Source – Bitsight)
While the exploitation IPs were traced to hosting providers that accept cryptocurrency payments, the hosting IPs largely pointed to regular internet service providers in countries including the United States, Canada, Sweden, China, and Tunisia.
Using the Groma dataset, researchers found that four of the 11 identified residential hosting IPs had been exposing potentially vulnerable services, including a UniFi Protect interface, two Control4 smart home systems, and a TCL Android TV web server.
The evidence strongly suggests these are compromised home devices unknowingly serving as the botnet’s infrastructure.
The hosting servers also employ a blacklisting mechanism, returning a decoy page with a background video and a non-functional button to block analysts.
Page Returned When IP Is Blacklisted (Source – Bitsight)
To reduce risk, organizations should patch internet-facing devices regularly, disable unused remote access services, and monitor network traffic for suspicious connections, using indicators of compromise published by Bitsight on their GitHub repository.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post RondoDox Botnet Expands to 174 Exploits, Leveraging Residential IP Infrastructure at Scale appeared first on Cyber Security News.
