Exploitation of internet exposed devices is not new, yet we keep seeing threat actors abusing this vector to create botnets. In 2025 one new botnet named RondoDox started making some waves due to its aggressive scanning and exploitation approach, making use of dozens of vulnerabilities in internet exposed devices.

In this talk we'll do a deep technical dive into this fairly new botnet, focusing on the activity observed between its emergence in May 2025 and the end of the year. We'll go over their infection chain, starting with the wide-variety of used exploits, and we'll then look into the infrastructure supporting the scanning and exploitation, and the dropper and implants used. From there we'll dive into the technical details of the malware, focusing on details that enable researchers to quickly identify it, how its network protocol communicates with the C2, and highlighting the diverse DoS capabilities at different network levels built into the malware.

We'll also explore the evolution of the threat with observed changes in both the infrastructure and malware, that highlight the active development of this threat, as well as some operational details regarding patterns in the activity and telemetry information.

By the end of the session the audience will have a comprehensive understanding of this recent threat. The audience will also be able to identify, monitor, and track RondoDox activity within their own environments.