RONDODOX is ramping up its campaign, targeting 174 vulnerabilities with up to 15,000 daily exploit attempts in a more focused operation, according to Bitsight. The analysis notes that 148 CVEs were mapped among these flaws, with 15 possessing a public PoC but no CVE, and 11 where no public PoC could be found. Trend Micro first spotted the activity in June 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routers, a flaw highlighted at Pwn2Own 2023 and still popular with botnets.
In July, FortiGuard Labs reported that RondoDox was exploiting CVE-2024-3721 and CVE-2024-12856, and the group has been active since 2024, using custom libraries and mimicking gaming or VPN traffic to evade detection. CloudSEK researchers warned in December that the botnet is exploiting the React2Shell flaw (CVE-2025-55182) to drop malware and cryptominers on vulnerable Next[.]js servers, with activity continuing into early 2026.
The timeline shows waves of broad testing followed by longer use of a smaller set of effective exploits, culminating in a dramatic drop to two observed vulnerabilities in January 2026.