SECURITYWEEK reports that the RondoDox botnet has expanded its exploit list to 174 vulnerabilities and is adopting a more targeted approach, with activity peaking at about 15,000 exploitation attempts per day. The botnet has been active since at least March 2025, with systematic vulnerability scanning and a shift from a shotgun method to focusing on specific flaws more likely to yield infections, according to Bitsight.
By October it targeted 56 vulnerabilities, including some without CVEs, and in December it was seen targeting React2Shell; now, according to Bitsight, the exploit list has grown to 174 while operators closely follow vulnerability disclosures and push exploits before CVEs are assigned. The piece notes that RondoDox shares traits with Mirai, targets weak credentials and unsanitised input for initial access, and primarily aims to launch distributed denial-of-service attacks rather than infecting additional devices.
Bitsight’s investigation identifies over two dozen IP addresses used for exploitation and payload distribution, with as many as 49 bugs exploited in a single day, most of which are dropped quickly. The report also observes that some vulnerabilities are used just for a day, and that the operators sometimes exploit flaws two days before public disclosure. According to SecurityWeek, there is no loader-as-a-service and P2P functionality reports appear inaccurate. 17 March 2026.