The RondoDox botnet is a network of compromised Internet-connected devices, including MIPS-based embedded systems such as routers and IoT devices. Our honeypot data has observed attempts by RondoDox to compromise systems, demonstrating exploitation of vulnerabilities or weak credentials to gain control over devices that can then be used for activities like DDoS attacks, spam campaigns, credential stuffing, or illicit cryptocurrency mining. Since June 2025, Sicehice has seen an uptick in exploitation of common router CVEs that lead to RondoDox botnet infections. The malware itself infects the target device with a dropper-like shell script which facilitates the download of a final stage payload. Sicehice observed the first evidence of RondoDox as early as 2025-06-04 02:43:31. The following source IP addresses are the origination point of the activity: IP AS Country 45.135.194.11 AS 51396 (Pfcloud UG) The Netherlands (NL) 45.135.194.34 AS 51396 (Pfcloud UG) The Netherlands (NL) ...