Malware campaigns distributing the RondoDox botnet have broadened their targeting to exploit more than 50 vulnerabilities across over 30 vendors, security firm Trend Micro said, describing the activity as an “exploit shotgun” approach targeting internet-exposed infrastructure.
Trend Micro said the activity has singled out routers, digital video recorders, network video recorders, CCTV systems, web servers and other network devices, and that it detected a RondoDox intrusion attempt on June 15, 2025 when attackers exploited a known TP-Link Archer router flaw.
Fortinet FortiGuard Labs first documented RondoDox in July 2025, describing attacks that targeted TBK digital video recorders and Four-Faith routers to recruit devices into a botnet used to launch distributed denial-of-service attacks over HTTP, UDP and TCP.
Trend Micro said RondoDox has recently expanded distribution by using a “loader-as-a-service” infrastructure that co-packages RondoDox with Mirai and Morte payloads, raising urgency for detection and remediation. The company said the campaign exploits 56 vulnerabilities in total, including 18 that do not have CVE identifiers, and names vendors affected such as D-Link, Linksys, NETGEAR, Cisco and Apache among others.
The report follows other research that found large-scale loader-as-a-Service operations distributing RondoDox, Mirai and Morte through SOHO routers, IoT devices and enterprise applications by abusing weak credentials, unsanitized inputs and old vulnerabilities.
Security journalist Brian Krebs noted that the DDoS botnet AISURU is drawing much of its firepower from compromised IoT devices hosted on U.S. internet providers, and said one alleged operator is “based in Sao Paulo, Brazil,” linking that reporting to prior investigations.
Threat intelligence firm GreyNoise reported a separate, coordinated operation that used over 100,000 unique IP addresses from more than 100 countries to target Remote Desktop Protocol services beginning Oct. 8, 2025, saying most participating IPs shared a similar TCP fingerprint indicating centralized control. The firm said the campaign used two specific attack vectors – RD Web Access timing attacks and RDP web client login enumeration – in its analysis.