The RondoDox botnet has rapidly evolved into one of the most concerning emerging threats of the past year, combining an unusually large exploit arsenal with a stealthy infrastructure strategy that abuses compromised residential IP addresses for hosting malware payloads. First detected in May 2025, the botnet has since grown into a mature operation capable of launching up to 15,000 exploitation attempts per day. [onmsft.com]
Researchers from Bitsight uncovered the botnet’s expansion after observing heavy, anomalous traffic across their honeypot environment, ultimately revealing a threat actor with both high technical sophistication and long-term operational discipline.
🧬 Mirai Roots, But Designed for Pure DoS
RondoDox is built on the same foundational code as Mirai, the infamous open-source botnet whose variants have fueled widespread IoT-based DDoS attacks since 2016. However, unlike Mirai—which scans, propagates, and launches DDoS attacks—RondoDox focuses exclusively on denial-of-service operations, without attempting further compromise of infected systems.
The operators have significantly extended the original Mirai framework, creating an exploit toolkit that now includes 174 vulnerabilities, a volume rarely observed in IoT‑focused botnets:
- 148 exploits tied to published CVEs
- 15 exploits with public PoCs but no official CVE
- 11 exploits with no public documentation at all
This broad exploit catalog targets 18 system architectures, including x86_64, ARM variants, MIPS, PowerPC, and others, allowing RondoDox to infect a wide array of internet-connected devices.
🚀 Rapid Vulnerability Adoption — Sometimes Before CVEs Go Public
One of the most telling indicators of RondoDox’s maturity is the speed at which the botnet incorporates new exploits. Researchers found several instances where operators deployed working exploits within days of disclosure. In one case, CVE‑2025‑62593 was exploited before the CVE identifier was officially published.
The botnet initially used a shotgun-style exploitation method, firing multiple exploits simultaneously at the same target with the hope that one would succeed. This technique peaked on October 19, 2025, with 49 distinct vulnerabilities used in a single day.
By January 2026, however, operators refined their approach to focus on just two high-success vulnerabilities, signaling a focus on high‑value targets over broad scanning noise.
A notable example of rapid integration:
- CVE‑2025‑55182 (React2Shell)
- Disclosed: December 3, 2025
- Adopted into RondoDox: December 6, 2025 (3 days later)
Such rapid adoption demonstrates a well‑resourced threat actor capable of tracking disclosures and weaponizing vulnerabilities at unprecedented speed.
🏠 Residential IPs: A Hidden Hosting Layer
Bitsight’s investigation revealed one of the most concerning aspects of RondoDox: its use of compromised residential IP addresses to host malware payloads.
Key Findings
- 32 total IP addresses tracked
- 16 exploitation nodes (crypto‑friendly hosting providers)
- 16 hosting nodes (residential ISPs in U.S., Canada, Sweden, China, Tunisia)
Using the Groma dataset, analysts confirmed that 4 of the 11 residential hosting IPs exposed vulnerable services, including:
- A UniFi Protect interface
- Two Control4 smart home systems
- A TCL Android TV web server
These findings strongly indicate that attackers are leveraging compromised home devices as their hosting layer—not unlike how botnets commandeer IoT hardware, but instead using them as malware delivery servers.
This strategy provides two major advantages:
- Legitimacy — Residential IPs blend into normal traffic.
- Evasion — Security tools rarely blacklist home networks compared to VPS ranges.
RondoDox also deploys a blacklisting defense mechanism:
When analysts or suspected honeypots connect, the hosting servers return a decoy page featuring a background video and non-functional button.
🔥 Why RondoDox Is a Serious Emerging Threat
RondoDox combines:
- A massive exploit library
- Multi‑architecture support
- Fast-moving vulnerability adoption
- Residential IP‑based hosting
- Long-term operational consistency
These characteristics suggest a motivated, technically adept threat actor capable of sustaining a high‑volume attack pipeline with persistent infrastructure.
Organizations relying on internet-facing systems—especially IoT, network appliances, and edge devices—are at heightened risk.
🛡 Recommended Mitigations
Bitsight and other researchers recommend:
✔ Patch Internet‑Facing Devices Frequently
Many exploited vulnerabilities affect:
- Small business routers
- Security cameras / NVRs
- Smart home controllers
- Consumer IoT devices
✔ Disable Unused Remote Access Services
Reduce attack surface on:
- Web interfaces
- UPnP
- Remote management ports
✔ Monitor Inbound/Outbound Traffic for Anomalies
Flag:
- Requests to known RondoDox hosting IPs
- Unusual DoS‑style probing patterns
- Surges in HTTP requests to consumer‑grade IP prefixes
✔ Review Bitsight’s Published Indicators of Compromise
Bitsight maintains a GitHub repository with IoCs and updated threat intelligence for RondoDox operators.
Conclusion
RondoDox represents a new class of botnet threat—one that fuses the flexibility of Mirai descendants with the stealth and resiliency of residential IP‑based hosting, rapid exploit adoption, and broad architecture support.
Security teams should treat RondoDox as an emerging high‑priority threat, especially as its operators continue accelerating their adoption of new vulnerabilities and expanding the botnet’s footprint.
