- RondoDox botnet campaigns have expanded to target over 50 vulnerabilities across 30+ vendors.
- Trend Micro detected a RondoDox attack on June 15, 2025, exploiting a TP-Link router vulnerability.
- RondoDox now uses a loader-as-a-service model, co-delivering Mirai and Morte Malware payloads.
- Another major DDoS botnet, AISURU, controls around 300,000 compromised IoT devices mostly in the U.S.
- GreyNoise identified a coordinated botnet attack targeting U.S. Remote Desktop Protocol (RDP) services starting October 8, 2025.
Malware campaigns distributing the RondoDox botnet have broadened their reach, exploiting more than 50 security vulnerabilities across over 30 vendors as of mid-2025. A notable intrusion attempt occurred on June 15, 2025, targeting TP-Link Archer routers using the CVE-2023-1389 flaw.
Trend Micro described the campaign as using an “‘exploit shotgun’ approach,” attacking various internet-exposed devices such as routers, DVRs, NVRs, CCTV systems, and web servers. The RondoDox botnet combines its payload with Mirai and Morte malware under a loader-as-a-service infrastructure, increasing the threat’s detection difficulty.
Since its first documentation by Fortinet FortiGuard Labs in July 2025, RondoDox has targeted TBK DVRs and Four-Faith routers to build a botnet that launches distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. Its current operations exploit 56 known vulnerabilities, including 18 without assigned CVE numbers, spanning vendors like D-Link, NETGEAR, Cisco, and Apache.
Recent findings by CloudSEK reveal that RondoDox’s loader-as-a-service botnet distributes malware through SOHO routers, IoT devices, and enterprise applications by exploiting weak credentials, unsanitized inputs, and outdated security flaws.
Meanwhile, the DDoS botnet AISURU reportedly controls approximately 300,000 compromised IoT devices, primarily within internet providers like AT&T, Comcast, and Verizon in the United States. Security journalist Brian Krebs noted AISURU as one of the largest botnets responsible for record-setting DDoS attacks. An operator linked to this botnet, known as Forky, is based in Sao Paulo, Brazil, and associated with a DDoS mitigation service called Botshield.
Additionally, GreyNoise identified a coordinated botnet attack wave targeting Remote Desktop Protocol (RDP) services in the United States. Beginning October 8, 2025, this operation involves over 100,000 unique IP addresses from more than 100 countries, with significant traffic from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador. The attackers use two main techniques: RD Web Access timing attacks and RDP web client login enumeration. GreyNoise noted that most IPs share similar TCP fingerprints, indicating centralized control.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- 3 US Stocks Soar Over 200% in One Month: EOSEW, BKKT, PEPG
- Tesla Ramps Up Shanghai Output as China EV Sales Jump 25% in Sept
- Hyperliquid Enables Permissionless Perp Markets With HIP-3 Upgrade
- New ChaosBot Rust Malware Uses Discord for C2 Attacks
- Gold Hits $4,078 High as Wall Street, BRICS Fuel $10,000 Rally
