RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits

    Friday, October 10, 2025 In: Threat Research Print

    Date: 10/10/2025

    Severity: High

    Summary

    A major botnet campaign, dubbed RondoDox, is actively exploiting over 50 known vulnerabilities in routers, DVRs, NVRs, CCTV systems, and web servers from more than 30 vendors. Organizations with internet-facing infrastructure face heightened risks of data theft, persistent access, and operational disruption. Exploitation began in June 2025, using known CVEs like CVE-2023-1389, first disclosed during Pwn2Own events and now in CISA’s KEV catalog. Immediate patching of all listed vulnerabilities is critical, along with regular assessments, network segmentation, and continuous monitoring. 

    Indicators of Compromise (IOC) List

    Domains\URLs: 

    http://14.103.145.202/rondo.

    http://83.252.42.112/rondo.i686

    http://74.194.191.52/rondo.armv7l

    http://74.194.191.52/rondo.mips

    http://74.194.191.52/rondo.i486

    http://83.252.42.112/rondo.powerpc-440fp

    http://74.194.191.52/rondo.powerpc

    http://83.252.42.112/rondo.fbsdamd64

    http://74.194.191.52/rondo.x86_64

    http://83.252.42.112/rondo.x86_64

    http://74.194.191.52/rondo.armebhf

    http://74.194.191.52/rondo.sh4

    http://74.194.191.52/rondo.i586

    http://74.194.191.52/rondo.i686

    http://74.194.191.52/rondo.sparc

    http://74.194.191.52/rondo.fbsdamd64

    http://74.194.191.52/rondo.lol

    http://83.252.42.112/rondo.lol

    http://74.194.191.52/rondo.armv4l

    http://83.252.42.112/rondo.armv4l

    http://83.252.42.112/rondo.sh4

    http://74.194.191.52/rondo.mipsel

    http://74.194.191.52/rondo.fbsdi386

    http://83.252.42.112/rondo.armv5l

    http://83.252.42.112/rondo.mipsel

    http://83.252.42.112/rondo.powerpc

    http://74.194.191.52/rondo.armv6l

    http://74.194.191.52/rondo.powerpc-440fp

    http://74.194.191.52/rondo.m68k

    http://74.194.191.52/rondo.arc700

    http://83.252.42.112/rondo.fbsdi386

    http://83.252.42.112/rondo.sparc

    http://83.252.42.112/rondo.fbsdpowerpc

    http://74.194.191.52/rondo.fbsdarm64

    http://83.252.42.112/rondo.armv7l

    http://83.252.42.112/rondo.armv6l

    http://83.252.42.112/rondo.mips

    http://74.194.191.52/rondo.fbsdpowerpc

    http://83.252.42.112/rondo.i486

    http://83.252.42.112/rondo.fbsdarm64

    http://74.194.191.52/rondo.armeb

    http://83.252.42.112/rondo.m68k

    http://74.194.191.52/rondo.armv5l

    http://83.252.42.112/rondo.i586

    http://83.252.42.112/rondo.arc700

    IP Address : 

    74.194.191.52

    38.59.219.27

    83.252.42.112

    169.255.72.169

    45.8.145.203

    154.91.254.95

    14.103.145.211

    14.103.145.212

    Hash : 

    24b96599749041fd127bd839acea3fc709fdb50ca0b15edd47eb5d1b34936349

    f5fbe6915ab7a82654d99562950619b5edaf995528fb2731dd05a8a4246bea89

    160036783c4e7be0a1c9032ec876d47f8b898a0555af4e5fff2ee19a189dfd49

    6a77842da45c4f0668ff880e129ffbce8e7980ea73fd10bd66124133bed88aff

    bfde10dfc3aa82e605021372817fa24fda7e00f51726097d65b57d531640c05a

    a11a49b298eda9b4557da2a1386c4ea4fd1f0867de5662ad8232bd82cc155253

    c2be84ecfdb2970f2fa2e4c0e1f4e8eb39b17ee271838490ff847900e8a88fa7

    ebe51f66b2aa42396427b187ae9db031b2bdc91f7b48143f81c439c3c11ef14b

    08beb97841e761dd8e34d677d1ed6164a259b9ada3c8e4c26e2b25d47011bfd9

    a93430a7f67b31d8309cd90f8d4181199aafafa9951980dc4d28d9ebaaa747ef

    c7c4613cc71d869b85ca7ee000b5a87c07c2e76dd65b3a8d1ab63c39f4db5437

    24457ee666362a72a3af8267655413ea26b3a05df6e768b467bdfa5fefbaa14c

    b05278dcd9f975eb202ce08185ec834f5703e476fa2ab421b62f5418ad6d6789

    01ae333d518131775dfd3ab76832cb4796cda88630ba7b4b9ce2446ec9192b39

    cd84c2b486ee129be3334bf006794e84f0b316f9bd96cd84c893b0c92be1f9b9

    80947823295dfcb0abcce6c092df506050a6dc90b45538cea594dd27cad45709

    1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce

    104a156bcf995c35c09ffd27aef713d6d14265e3852fc7184ba046d097a6099e

    Email Address : 

    Makenoise@tutanota.de

    Bang2012@protonmail.com

    Target Vulnerabilities : 

    "CVE-2025-7414","CVE-2025-5504","CVE-2025-4008","CVE-2025-34037","CVE-2025-22905","CVE-2025-1829","CVE-2024-7029","CVE-2024-3721","CVE-2024-1781","CVE-2024-12856","CVE-2024-12847","CVE-2024-10914","CVE-2023-52163","CVE-2023-51833","CVE-2023-47565","CVE-2023-26801","CVE-2023-25280","CVE-2023-1389","CVE-2022-44149","CVE-2022-37129","CVE-2022-36553","CVE-2021-42013","CVE-2021-41773","CVE-2020-27867","CVE-2020-25506","CVE-2020-10987","CVE-2019-16920","CVE-2019-1663","CVE-2018-11714","CVE-2018-10561","CVE-2017-18369","CVE-2017-18368","CVE-2016-6277","CVE-2015-2051","CVE-2014-6271","CVE-2014-1635"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://74.194.191.52/rondo.armeb" or url like "http://74.194.191.52/rondo.armeb" or siteurl like "http://74.194.191.52/rondo.armeb" or domainname like "http://83.252.42.112/rondo.fbsdamd64" or url like "http://83.252.42.112/rondo.fbsdamd64" or siteurl like "http://83.252.42.112/rondo.fbsdamd64" or domainname like "http://74.194.191.52/rondo.sh4" or url like "http://74.194.191.52/rondo.sh4" or siteurl like "http://74.194.191.52/rondo.sh4" or domainname like "http://83.252.42.112/rondo.fbsdpowerpc" or url like "http://83.252.42.112/rondo.fbsdpowerpc" or siteurl like "http://83.252.42.112/rondo.fbsdpowerpc" or domainname like "http://83.252.42.112/rondo.armv6l" or url like "http://83.252.42.112/rondo.armv6l" or siteurl like "http://83.252.42.112/rondo.armv6l" or domainname like "http://83.252.42.112/rondo.i686" or url like "http://83.252.42.112/rondo.i686" or siteurl like "http://83.252.42.112/rondo.i686" or domainname like "http://74.194.191.52/rondo.armebhf" or url like "http://74.194.191.52/rondo.armebhf" or siteurl like "http://74.194.191.52/rondo.armebhf" or domainname like "http://83.252.42.112/rondo.fbsdarm64" or url like "http://83.252.42.112/rondo.fbsdarm64" or siteurl like "http://83.252.42.112/rondo.fbsdarm64" or domainname like "http://83.252.42.112/rondo.i486" or url like "http://83.252.42.112/rondo.i486" or siteurl like "http://83.252.42.112/rondo.i486" or domainname like "http://74.194.191.52/rondo.lol" or url like "http://74.194.191.52/rondo.lol" or siteurl like "http://74.194.191.52/rondo.lol" or domainname like "http://83.252.42.112/rondo.fbsdi386" or url like "http://83.252.42.112/rondo.fbsdi386" or siteurl like "http://83.252.42.112/rondo.fbsdi386" or domainname like "http://74.194.191.52/rondo.fbsdarm64" or url like "http://74.194.191.52/rondo.fbsdarm64" or siteurl like "http://74.194.191.52/rondo.fbsdarm64" or domainname like "http://74.194.191.52/rondo.i686" or url like "http://74.194.191.52/rondo.i686" or siteurl like "http://74.194.191.52/rondo.i686" or domainname like "http://74.194.191.52/rondo.powerpc-440fp" or url like "http://74.194.191.52/rondo.powerpc-440fp" or siteurl like "http://74.194.191.52/rondo.powerpc-440fp" or domainname like "http://83.252.42.112/rondo.lol" or url like "http://83.252.42.112/rondo.lol" or siteurl like "http://83.252.42.112/rondo.lol" or domainname like "http://74.194.191.52/rondo.fbsdi386" or url like "http://74.194.191.52/rondo.fbsdi386" or siteurl like "http://74.194.191.52/rondo.fbsdi386" or domainname like "http://74.194.191.52/rondo.powerpc" or url like "http://74.194.191.52/rondo.powerpc" or siteurl like "http://74.194.191.52/rondo.powerpc" or domainname like "http://74.194.191.52/rondo.arc700" or url like "http://74.194.191.52/rondo.arc700" or siteurl like "http://74.194.191.52/rondo.arc700" or domainname like "http://74.194.191.52/rondo.x86_64" or url like "http://74.194.191.52/rondo.x86_64" or siteurl like "http://74.194.191.52/rondo.x86_64" or domainname like "http://83.252.42.112/rondo.arc700" or url like "http://83.252.42.112/rondo.arc700" or siteurl like "http://83.252.42.112/rondo.arc700" or domainname like "http://83.252.42.112/rondo.armv4l" or url like "http://83.252.42.112/rondo.armv4l" or siteurl like "http://83.252.42.112/rondo.armv4l" or domainname like "http://83.252.42.112/rondo.armv7l" or url like "http://83.252.42.112/rondo.armv7l" or siteurl like "http://83.252.42.112/rondo.armv7l" or domainname like "http://83.252.42.112/rondo.m68k" or url like "http://83.252.42.112/rondo.m68k" or siteurl like "http://83.252.42.112/rondo.m68k" or domainname like "http://74.194.191.52/rondo.armv4l" or url like "http://74.194.191.52/rondo.armv4l" or siteurl like "http://74.194.191.52/rondo.armv4l" or domainname like "http://83.252.42.112/rondo.armv5l" or url like "http://83.252.42.112/rondo.armv5l" or siteurl like "http://83.252.42.112/rondo.armv5l" or domainname like "http://74.194.191.52/rondo.i586" or url like "http://74.194.191.52/rondo.i586" or siteurl like "http://74.194.191.52/rondo.i586" or domainname like "http://83.252.42.112/rondo.mipsel" or url like "http://83.252.42.112/rondo.mipsel" or siteurl like "http://83.252.42.112/rondo.mipsel" or domainname like "http://74.194.191.52/rondo.armv7l" or url like "http://74.194.191.52/rondo.armv7l" or siteurl like "http://74.194.191.52/rondo.armv7l" or domainname like "http://74.194.191.52/rondo.m68k" or url like "http://74.194.191.52/rondo.m68k" or siteurl like "http://74.194.191.52/rondo.m68k" or domainname like "http://74.194.191.52/rondo.mipsel" or url like "http://74.194.191.52/rondo.mipsel" or siteurl like "http://74.194.191.52/rondo.mipsel" or domainname like "http://14.103.145.202/rondo." or url like "http://14.103.145.202/rondo." or siteurl like "http://14.103.145.202/rondo." or domainname like "http://83.252.42.112/rondo.powerpc-440fp" or url like "http://83.252.42.112/rondo.powerpc-440fp" or siteurl like "http://83.252.42.112/rondo.powerpc-440fp"

    Detection Query 2 :

    domainname like "http://74.194.191.52/rondo.mips" or url like "http://74.194.191.52/rondo.mips" or siteurl like "http://74.194.191.52/rondo.mips" or domainname like "http://74.194.191.52/rondo.i486" or url like "http://74.194.191.52/rondo.i486" or siturl like "http://74.194.191.52/rondo.i486" or domainname like "http://83.252.42.112/rondo.x86_64" or url like "http://83.252.42.112/rondo.x86_64" or siteurl like "http://83.252.42.112/rondo.x86_64" or domainname like "http://74.194.191.52/rondo.sparc" or url like "http://74.194.191.52/rondo.sparc" or siteurl like "http://74.194.191.52/rondo.sparc" or domainname like "http://74.194.191.52/rondo.fbsdamd64" or url like "http://74.194.191.52/rondo.fbsdamd64" or siteurl like "http://74.194.191.52/rondo.fbsdamd64" or domainname like "http://83.252.42.112/rondo.sh4" or url like "http://83.252.42.112/rondo.sh4" or siteurl like "http://83.252.42.112/rondo.sh4" or domainname like "http://83.252.42.112/rondo.powerpc" or url like "http://83.252.42.112/rondo.powerpc" or siteurl like "http://83.252.42.112/rondo.powerpc" or domainname like "http://74.194.191.52/rondo.armv6l" or url like "http://74.194.191.52/rondo.armv6l" or siteurl like "http://74.194.191.52/rondo.armv6l" or domainname like "http://83.252.42.112/rondo.sparc" or url like "http://83.252.42.112/rondo.sparc" or siteurl like "http://83.252.42.112/rondo.sparc" or domainname like "http://83.252.42.112/rondo.mips" or url like "http://83.252.42.112/rondo.mips" or siteurl like "http://83.252.42.112/rondo.mips" or domainname like "http://74.194.191.52/rondo.fbsdpowerpc" or url like "http://74.194.191.52/rondo.fbsdpowerpc" or siteurl like "http://74.194.191.52/rondo.fbsdpowerpc" or domainname like "http://74.194.191.52/rondo.armv5l" or url like "http://74.194.191.52/rondo.armv5l" or siteurl like "http://74.194.191.52/rondo.armv5l" or dominname like "http://83.252.42.112/rondo.i586" or url like "http://83.252.42.112/rondo.i586" or siteurl like "http://83.252.42.112/rondo.i586" 

    Detection Query 3 : 

    dstipaddress IN ("169.255.72.169","74.194.191.52","83.252.42.112","38.59.219.27","45.8.145.203","154.91.254.95","14.103.145.211","14.103.145.212") or srcipaddress IN ("169.255.72.169","74.194.191.52","83.252.42.112","38.59.219.27","45.8.145.203","154.91.254.95","14.103.145.211","14.103.145.212")

    Detection Query 4 : 

    sha256hash IN ("ebe51f66b2aa42396427b187ae9db031b2bdc91f7b48143f81c439c3c11ef14b","01ae333d518131775dfd3ab76832cb4796cda88630ba7b4b9ce2446ec9192b39","c7c4613cc71d869b85ca7ee000b5a87c07c2e76dd65b3a8d1ab63c39f4db5437","24457ee666362a72a3af8267655413ea26b3a05df6e768b467bdfa5fefbaa14c","160036783c4e7be0a1c9032ec876d47f8b898a0555af4e5fff2ee19a189dfd49","104a156bcf995c35c09ffd27aef713d6d14265e3852fc7184ba046d097a6099e","24b96599749041fd127bd839acea3fc709fdb50ca0b15edd47eb5d1b34936349","08beb97841e761dd8e34d677d1ed6164a259b9ada3c8e4c26e2b25d47011bfd9","1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce","c2be84ecfdb2970f2fa2e4c0e1f4e8eb39b17ee271838490ff847900e8a88fa7","b05278dcd9f975eb202ce08185ec834f5703e476fa2ab421b62f5418ad6d6789","a11a49b298eda9b4557da2a1386c4ea4fd1f0867de5662ad8232bd82cc155253","6a77842da45c4f0668ff880e129ffbce8e7980ea73fd10bd66124133bed88aff","bfde10dfc3aa82e605021372817fa24fda7e00f51726097d65b57d531640c05a","a93430a7f67b31d8309cd90f8d4181199aafafa9951980dc4d28d9ebaaa747ef","cd84c2b486ee129be3334bf006794e84f0b316f9bd96cd84c893b0c92be1f9b9","80947823295dfcb0abcce6c092df506050a6dc90b45538cea594dd27cad45709","f5fbe6915ab7a82654d99562950619b5edaf995528fb2731dd05a8a4246bea89")

    Detection Query 5:

    sender IN ("Makenoise@tutanota.de","Bang2012@protonmail.com") OR recipients IN ("Makenoise@tutanota.de","Bang2012@protonmail.com")

    Reference:

    https://www.trendmicro.com/en_us/research/25/j/rondodox.html


    Tags

    MalwareThreat ActorVulnerabilityCVE-2014CVE-2015CVE-2016CVE-2017CVE-2018CVE-2019CVE-2020CVE-2021CVE-2022CVE-2023CVE-2024CVE-2025BotnetRondoDoxPwn2OwnExploitRouterDVRNVRCCTVCommunications

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.