Researchers at Trend Micro have identified RondoDox, a rapidly growing IoT botnet that systematically compromises internet-exposed devices using a broad arsenal of known vulnerabilities (n-days) and exploits inspired by Pwn2Own demonstrations. The operators reportedly field 56 vulnerabilities across more than 30 vendors and device classes, spanning DVR/NVR systems, IP cameras, SOHO routers, and web servers.
Target landscape: DVR/NVR, cameras, routers, and web servers
RondoDox primarily scans for devices that are directly reachable from the internet—digital and network video recorders, surveillance cameras, small office/home office (SOHO) routers, and web-facing components often embedded in video ecosystems. This focus delivers scale and continuity for the botnet: these categories frequently run outdated firmware and lag on security updates, leaving consistent opportunities for compromise.
“Shotgun of exploits”: parallelized exploitation and Pwn2Own adoption
A defining tactic is a shotgun of exploits approach—RondoDox cycles through many exploits in parallel to maximize infection rates. While noisy, the breadth of coverage offsets detection risk. Notably, the group quickly operationalizes techniques showcased at Pwn2Own. One example is CVE-2023-1389 affecting the TP-Link Archer AX21, first demonstrated at Pwn2Own Toronto 2022 and subsequently adapted for use in real-world attacks.
Beyond n-days: 18 command injections without CVE identifiers
Trend Micro also observed exploitation of 18 command-injection vulnerabilities that lack assigned CVE IDs. Impacted products include D-Link NAS units, DVRs from TVT and LILIN, routers from Fiberhome, ASMAX, and Linksys, Brickcom cameras, and several unidentified models. The absence of public identifiers complicates patch triage and asset owners’ ability to prioritize remediation.
Why IoT remains a soft target
Two structural issues keep the IoT attack surface wide open. First, end-of-life (EoL) and out-of-support devices often never receive fixes. Second, even currently supported models remain exposed due to poor update hygiene post-deployment. Historical cases such as Mirai showed how public services, default credentials, and infrequent patches create a stable infection pool for mass-scale botnets. Guidance from organizations such as CISA consistently highlights default passwords and missed updates as common IoT failure modes.
DDoS firepower and protocol camouflage
According to FortiGuard Labs, RondoDox can launch DDoS attacks over HTTP, UDP, and TCP. To degrade detection, it mimics traffic associated with popular gaming and communication ecosystems, including Valve, Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, GTA, as well as Discord, OpenVPN, WireGuard, and RakNet. This protocol camouflage hinders signature-based filtering and improves the botnet’s resilience against basic monitoring controls.
Practical defenses for enterprises and home networks
1) Patch and lifecycle management: Apply the latest firmware and replace unsupported devices. Maintain an accurate inventory and enforce EoL/EoS policies to eliminate forgotten assets.
2) Network segmentation: Isolate IoT and guest networks from critical systems using VLANs/SDN. Restrict outbound IoT traffic with firewall rules, allowing only required destinations and ports.
3) Access hardening: Remove default accounts, enforce long unique passwords via a manager, and enable MFA where available. Disable internet-facing administration and limit management interfaces to trusted networks.
4) Reduce attack surface: Disable UPnP, close unused services, and expose only necessary interfaces. Implement allowlists and geo/IP restrictions for administrative access.
5) Monitoring and response: Baseline normal traffic and watch for anomalies. Run periodic vulnerability scans for known exploits, and leverage IDS/IPS and centralized logging to detect early compromise attempts.
RondoDox illustrates a mature IoT attack playbook: rapid weaponization of public research, broad multi-exploit automation, and advanced traffic masking. Reducing risk hinges on disciplined firmware management, segmentation, and hardened access. Organizations and households should reassess their update cadence, inventory, and exposure now—before their cameras, routers, and recorders are conscripted into the next DDoS campaign.
