RondoDox Botnet

Original Issue Date:- January 21, 2026

Virus Type:-IoT Botnet / Web Application Malware

Severity:- High

It has been reported that a sophisticated botnet dubbed “RondoDox” is actively targeting IoT devices, network appliances, and vulnerable web applications, including Next.js Server Actions, routers, and CMS platforms. The malware has been observed weaponizing recently disclosed vulnerabilities to deploy botnet payloads, cryptominers, and remote access tools. RondoDox is capable of persistent compromise, botnet enrollment, cryptojacking, DDoS operations, and lateral movement across enterprise and cloud environments.

Infection Mechanism

RondoDox botnet operates as a Linux-based, automated exploitation framework that compromises devices through exposed management interfaces and vulnerable web applications. The botnet has demonstrated a shift from early reconnaissance activity to coordinated, high-volume exploitation campaigns, and automated botnet deployment. The campaign has entered a more concerning phase, as reliable exploits are now observed in the wild, lowering the barrier to exploitation and increasing the likelihood of widespread compromise.

The botnet primarily targets:

Internet-facing IoT devices (routers, cameras, NAS)
Web applications (Next.js, WordPress, Drupal, Struts2, WebLogic)
Cloud and Linux servers

Primary Infection Vectors

Exploitation of Next.js Server Actions remote code execution vulnerabilities (e.g., prototype pollution / deserialization flaws)
Command injection via router and network appliance diagnostic interfaces
Exploitation of CMS plugins and framework vulnerabilities
Weak or default credentials on IoT devices and network devices
Exploitation of critical infrastructure management vulnerabilities, including unauthenticated REST API endpoints enabling remote code execution (e.g., CVE-2025-37164 affecting HPE OneView)

Once a system is compromised, RondoDox establishes persistence and creates a covert communication channel used for:

Command and Control: Remote execution of system commands and deployment of additional payloads.
Cryptomining: Unauthorized use of system resources for cryptocurrency mining.
Botnet Operations: Enrolling compromised systems for DDoS attacks and further exploitation campaigns.
Lateral Movement: Pivoting from compromised infrastructure management platforms to additional network segments.

Indicators of Compromise

IP addresses

83[.]252[.]42[.]112
38[.]59[.]219[.]27
192[.]183[.]232[.]142
74[.]194[.]191[.]52
45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90
51[.]81[.]104[.]115
89[.]144[.]31[.]18
5[.]255[.]121[.]141
41[.]231[.]37[.]153
70[.]184[.]13[.]47
192[.]159[.]99[.]95

Malware SHA256 hashes

Name SHA256

rondo.arc700 – 2af74246497c671cc9976cd9919fdc4beaa459e9b4b30a42f561b45919da950b
rondo.armeb – 5cbe0f93c03b04b6100545448fee6db2a032a7cb13be45421d4ab377d1f88bf6
rondo.armebhf – 3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa
rondo.armv4l – 032d7b946259add6db097d3ee4375caffe2c7dcf7da81e72c32eaa24b3bde164
rondo.armv5l – 17be568b6b2acb3b237c6dc81b3692976bb83eea76a7a26fd405805d34901016
rondo.armv6l – e683864f4016b24b164ebaa5d900963b730a1df45bcbf9fa947b644d673dbc21
rondo.armv7l – 69a17194dba061f56ec3a23debfa1d3fdee7dd92789af17038387b294093aa5d
rondo.i486 – 470a74b888617299820acbe2daf03001eca7dc64a7002cd00beb163b3663187e
rondo.i586 – 81200976b8717c340041eee6ff051e1a87f8f73d86a9e17465b34be4c9488839
rondo.i686 – cf7a5027a0e562b7749c8025c0394bc3c3208b7b5ce070dcd15787450332efa8
rondo.m68k – 3a4afea2c16905816b922229dc5d03311d58c470fa4580dcd9248302bcdfbdc4
rondo.mips – f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae
rondo.mipsel – a65e3438103d31ccb213083b2b6ef40b558580b4246251b558fc68e6a2a2ba92
rondo.powerpc-440fp – c789f239a9cf039752e3926ee3b4387b3f6a1f6657531277caebf90685b018a2
rondo.powerpc – c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d
rondo.sh4 – f11ede0c682e818357943a166239867a19b0c1d321e84213e28e21beb2c49c87
rondo.sparc – df9f756f355d1122e46ce12bb84553c89cdab71c6402a257b78bc768578f51c7
rondo.x86_64 – 8634f53097f511dd1b7c253a0fbc4bc468e3ee38abd0490a39dd92edaee905de

Other IOCs

895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b (Coinminer)
8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e (healthcheck)
50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e (persistence)
858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb (Mirai)

Best Practices and Recommendations

Update critical platforms immediately: Apply the latest security patches to all Node.js and Next.js servers. Temporarily disable high-risk features, such as Server Actions, on internet-facing applications until vendor patches are confirmed safe. Validate all serialized data and input handling to prevent injection attacks.
Segment and harden IoT devices: Isolate routers, cameras, NAS, printers, and other IoT devices into dedicated network segments with strict access controls. Disable unnecessary remote management interfaces, enforce strong and unique credentials, and apply firmware updates from trusted sources.
Strengthen web application defenses: Implement application-level protections, such as input validation, restricting unnecessary functionality, and deploying Web Application Firewalls (WAFs) to detect and block potential exploitation attempts.
Monitor for suspicious activity: Track unusual processes, unexpected system changes, and abnormal network behavior. Ensure centralized logging and alerting are in place to support early detection and response.
Enforce secure administration practices: Require VPN or jump host access for all device management interfaces. Implement multi-factor and certificate-based authentication where possible, and log administrative actions centrally for real-time monitoring.
Institutionalize vulnerability management: Maintain an inventory of all assets and firmware versions. Establish patch management procedures requiring critical vulnerabilities in internet-facing applications to be remediated promptly. Subscribe to threat intelligence feeds, conduct regular penetration testing, and review security controls periodically.

References: