Cybersecurity researchers are calling attention to a malware campaign that’s targeting security flaws in TBK digital video recorders (DVRs) and Four-Faith routers to rope the devices into a new botnet called RondoDox.
The vulnerabilities in question include CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856, an operating system (OS) command injection bug affecting Four-Faith router models F3x24 and F3x36.
Many of these devices are installed in critical environments like retail stores, warehouses, and small offices, where they often go unmonitored for years. That makes them ideal targets—easy to exploit, hard to detect, and usually exposed directly to the internet through outdated firmware or misconfigured ports.
It’s worth noting that all three security defects have been repeatedly weaponized by threat actors to deploy different Mirai botnet variants in recent months.
“Both [the security flaws] have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity,” Fortinet FortiGuard Labs researcher Vincent Li said.
The cybersecurity company said it first identified an ELF binary for RondoDox in September 2024, with the malware capable of mimicking traffic from gaming platforms or VPN servers flying under the radar.
What makes RondoDox especially dangerous isn’t just the device takeover—it’s how the attackers repurpose that access. Instead of using infected devices as typical botnet nodes, they weaponize them as stealth proxies to hide command-and-control traffic, carry out layered scams, or amplify DDoS-for-hire campaigns that blend financial fraud with infrastructure disruption.
Analysis of RondoDox artifacts indicates that it was initially distributed to target Linux-based operating systems running on ARM and MIPS architectures, before being distributed via a shell script downloader that can target other Linux architectures like Intel 80386, MC68000, MIPS R3000, PowerPC, SuperH, ARCompact, x86-64, and AArch64.
The shell script, once launched, instructs the victim host to ignore SIGINT, SIGQUIT, and SIGTERM signals that are used to terminate processes in Unix-like operating systems, and checks for writable paths across various paths such as /dev, /dev/shm, the victim user’s home directory, /mnt, /run/user/0, /var/log, /var/run, /var/tmp, and /data/local/tmp.
In the final step, the RondoDox malware is downloaded and executed onto the host, and clears the command execution history to clear traces of the malicious activity. The botnet payload, for its part, proceeds to set up persistence on the machine to ensure that it’s automatically launched following a system reboot.
It’s also designed to scan the list of running processes and terminate any process related to network utilities (e.g., wget and curl), system analysis tools (e.g., Wireshark and gdb), or other malware (e.g., cryptominers or Redtail variants) so as to maintain operational stealth.
This approach reflects a growing trend in botnet design—using multi-architecture droppers, DoH-based C2 resolution, and XOR-encrypted payloads to bypass legacy IDS rules. As part of a broader category of evasive Linux malware, RondoDox sits alongside threats like RustoBot and Mozi, forming a new wave of adaptable botnets built to exploit poor IoT hygiene and weak router hardening.
Furthermore, RondoDox scans several common Linux executable directories, such as /usr/sbin, /usr/bin, /usr/local/bin, and /usr/local/sbin, and renames legitimate executables with random characters with an intent to inhibit recovery efforts. The modified file names are listed below –
- iptables – jsuJpf
- ufw – nqqbsc
- passwd – ahwdze
- chpasswd – ereghx
- shutdown – hhrqwk
- poweroff – dcwkkb
- halt – cjtzgw
- reboot – gaajct
Once the setup process is complete, the malware contacts an external server (83.150.218[.]93) to receive commands to perform distributed denial-of-service (DDoS) attacks against specific targets using HTTP, UDP, and TCP protocols.
“To evade detection, it disguises malicious traffic by emulating popular games and platforms such as Valve, Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, GTA, as well as tools like Discord, OpenVPN, WireGuard, and RakNet,” Fortinet said.
“Beyond gaming and chat protocols, RondoDox can also mimic custom traffic from tunneling and real-time communication services, including WireGuard, OpenVPN variants (e.g., openvpnauth, openvpncrypt, openvpntcp), STUN, DTLS, and RTC.”
In impersonating traffic associated with legitimate tools, the idea is to blend in with normal activity and make it challenging for defenders to detect and block it.
“RondoDox is a sophisticated and emerging malware threat that employs advanced evasion techniques, including anti-analysis measures, XOR-encoded configuration data, custom-built libraries, and a robust persistence mechanism,” Li said. “These capabilities allow it to remain undetected and maintain long-term access on compromised systems.”
