A newly identified botnet, RondoDox, is rapidly spreading across consumer and small-office routers, building a large-scale proxy infrastructure used by attackers for cybercrime, anonymity, and fraud operations. According to researchers, the campaign exploits unpatched firmware vulnerabilities and weak administrative credentials, giving attackers complete control over exposed routers.
Once infected, routers communicate through peer-to-peer (P2P) protocols that make the network resilient against takedown attempts. The malware operates silently, converting compromised routers into nodes for illicit proxy and VPN-like services.
Exploiting Router Weaknesses
RondoDox spreads primarily through automated scanning of internet-connected routers.
Attackers exploit outdated firmware or default credentials, then deploy a lightweight binary designed to persist through reboots and firmware updates. Once deployed, the malware modifies iptables configurations, hijacks DNS settings, and disables security updates. It then establishes encrypted connections to command-and-control (C2) servers hosted across bulletproof VPS providers, allowing attackers to remotely issue commands.
The malware’s modular structure enables additional payloads for cryptomining, credential theft, and traffic redirection all masked behind legitimate network activity.
A Global Proxy-as-a-Service Network
Researchers discovered that RondoDox doesn’t only collect data it’s being used to sell proxy access to other cybercriminals. This operation resembles SOCKS proxy rental services, where bad actors rent access to compromised devices for anonymizing illegal traffic.
Such proxies enable phishing campaigns, credential stuffing, ad fraud, and evading geolocation restrictions. Investigators estimate that tens of thousands of infected routers are already acting as proxy endpoints in the botnet’s distributed network. The infrastructure effectively turns home routers into a black-market privacy network, similar in structure to VPN botnets used in spam and DDoS attacks.
Attribution and Activity Tracking
While attribution remains uncertain, early forensic indicators suggest that RondoDox may share code lineage with older IoT botnets such as Mirai, Mozi, and Dark Nexus. Researchers from Akamai and NetLab 360 identified identical encryption routines and command syntax patterns used in prior botnet variants.
The botnet’s operators appear to be commercializing access rather than conducting political or state-sponsored activity, though nation-state actors could easily leverage the same infrastructure.
Experts warn that the commercialization of botnets-as-proxy-services continues to blur the line between cybercrime and espionage.
Security experts recommend the following countermeasures:
-
Update router firmware immediately and disable remote management.
-
Change default admin credentials and use strong passphrases.
-
Deploy network intrusion detection systems (NIDS) to monitor router traffic anomalies.
-
Block outbound traffic to known RondoDox C2 domains.
-
Replace unsupported router models that cannot receive patches.
ISPs should proactively scan for infected devices within their customer networks to limit RondoDox’s reach.
According to researchers from Shadowserver Foundation and Team Cymru, RondoDox represents a renewed trend of exploiting edge devices for anonymization. These networks provide cheap, resilient infrastructure for cybercriminal operations while evading detection by conventional enterprise monitoring tools.
The rise of RondoDox underscores the urgent need for IoT security standards and automated firmware update mechanisms to prevent routers from becoming cybercrime infrastructure.
The RondoDox botnet demonstrates how insecure edge devices have become valuable assets for cybercriminal operations. By turning ordinary routers into components of a global proxy ecosystem, attackers gain anonymity, resilience, and profit.
As researchers continue tracking RondoDox, the campaign serves as a stark reminder that home and SMB routers remain one of the weakest links in the global cybersecurity chain.
One thought on “RondoDox Botnet Exploits Routers to Create Global Proxy Army”