Site icon FastNetMon DDoS Detection Tool

New Botnet “RondoDox” Targets Unpatched DVRs and Routers for Stealthy DDoS Campaigns

In a continuing wave of new malware activity, researchers have uncovered a botnet dubbed RondoDox, which is actively exploiting known vulnerabilities in TBK digital video recorders (DVRs) and Four-Faith routers to take over Linux-based devices. These devices—often unpatched and deployed in retail, warehouse, or small office environments—are easy targets for long-term compromise.

RondoDox follows a growing trend in botnet development: stealth-first architecture, multi-platform support, and highly evasive behaviours.

A Surge in Botnet Activity

RondoDox is just one of several new botnets or botnet variants reported in recent weeks. Other recent threats include:

These developments show how attackers are moving beyond brute-force DDoS to build long-term, multi-functional malware ecosystems.

Vulnerabilities Exploited

RondoDox infects devices using:

These exploits have been used before in Mirai variants and continue to pose real-world risks due to widespread device exposure and lack of maintenance.

How RondoDox Works

The malware is distributed via a shell script that:

Once installed, the malware ensures persistence and actively kills off:

It even renames critical Linux binaries like iptables, ufw, and shutdown to random strings, making recovery and remediation much harder.

DDoS and Proxy Infrastructure

RondoDox contacts a C2 server to receive commands for DDoS attacks over HTTP, UDP, and TCP. But it goes further: it can masquerade as gaming, VPN, or chat traffic to blend in with legitimate usage and avoid detection.

This includes emulating traffic patterns from:

This makes it difficult for defenders to distinguish malicious traffic from real user activity.

More on Botnets: How They Work and Why They’re Evolving

To understand how threats like RondoDox fit into the broader ecosystem, check out our foundational posts:

FastNetMon’s View

RondoDox is a powerful example of where botnet design is heading: cross-architecture, stealth-oriented, and multi-purpose. It’s not just about DDoS anymore. Attackers are building long-lasting infrastructure to support fraud, tunneling, and advanced attack staging.

FastNetMon continues to track these threats closely. Our real-time network analytics and anomaly detection can help identify and mitigate abnormal traffic—even when it’s disguised as something legitimate.


About FastNetMon

FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats. For more information, visit https://fastnetmon.com

Exit mobile version