In a continuing wave of new malware activity, researchers have uncovered a botnet dubbed RondoDox, which is actively exploiting known vulnerabilities in TBK digital video recorders (DVRs) and Four-Faith routers to take over Linux-based devices. These devices—often unpatched and deployed in retail, warehouse, or small office environments—are easy targets for long-term compromise.
RondoDox follows a growing trend in botnet development: stealth-first architecture, multi-platform support, and highly evasive behaviours.
A Surge in Botnet Activity
RondoDox is just one of several new botnets or botnet variants reported in recent weeks. Other recent threats include:
- Hpingbot: Uses Pastebin and hping3 for flexible DDoS payload delivery
- Flodrix variant: A retooled classic with DNS-based evasion and TCP floods
These developments show how attackers are moving beyond brute-force DDoS to build long-term, multi-functional malware ecosystems.
Vulnerabilities Exploited
RondoDox infects devices using:
- CVE-2024-3721: Command injection in TBK DVR-4104 and DVR-4216
- CVE-2024-12856: OS command injection in Four-Faith F3x24 and F3x36 routers
These exploits have been used before in Mirai variants and continue to pose real-world risks due to widespread device exposure and lack of maintenance.
How RondoDox Works
The malware is distributed via a shell script that:
- Detects CPU architecture (supports ARM, MIPS, x86, PowerPC, and more)
- Checks for writable directories (/var/tmp, /mnt, /dev, etc.)
- Ignores termination signals (SIGINT, SIGQUIT, SIGTERM)
- Downloads and executes the payload
- Clears shell history to hide activity
Once installed, the malware ensures persistence and actively kills off:
- Network tools (e.g., wget, curl)
- Analysis tools (e.g., gdb, Wireshark)
- Competing malware processes (e.g., miners or Redtail variants)
It even renames critical Linux binaries like iptables, ufw, and shutdown to random strings, making recovery and remediation much harder.
DDoS and Proxy Infrastructure
RondoDox contacts a C2 server to receive commands for DDoS attacks over HTTP, UDP, and TCP. But it goes further: it can masquerade as gaming, VPN, or chat traffic to blend in with legitimate usage and avoid detection.
This includes emulating traffic patterns from:
- Valve, Roblox, Fortnite, GTA
- Discord, WireGuard, OpenVPN
- Custom tunneling and RTC services
This makes it difficult for defenders to distinguish malicious traffic from real user activity.
More on Botnets: How They Work and Why They’re Evolving
To understand how threats like RondoDox fit into the broader ecosystem, check out our foundational posts:
- What is a Botnet?: A primer on the anatomy of botnets and how they gain control of devices
- The Evolution of Modern Botnets: From Mirai to multi-functional proxy networks and evasion frameworks
FastNetMon’s View
RondoDox is a powerful example of where botnet design is heading: cross-architecture, stealth-oriented, and multi-purpose. It’s not just about DDoS anymore. Attackers are building long-lasting infrastructure to support fraud, tunneling, and advanced attack staging.
FastNetMon continues to track these threats closely. Our real-time network analytics and anomaly detection can help identify and mitigate abnormal traffic—even when it’s disguised as something legitimate.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats. For more information, visit https://fastnetmon.com