Update: RondoDox Botnet Evolves into Multi-Vector IoT Threat Exploiting 50+ Vulnerabilities
RondoDox is a fast‑growing IoT botnet active since early 2025, exploiting over 50 known vulnerabilities across routers, CCTV systems, DVRs, and web servers. Its modular Go‑based architecture enables attackers to deploy custom exploits and cross‑platform payloads, using encrypted command‑and‑control for stealth persistence. Trend Micro researchers first identified the botnet in April 2025 through traffic analysis tied to compromised DVRs, later confirming global exploitation activity. Infection chains typically begin with scans for open Telnet, SSH, and HTTP interfaces before leveraging vulnerabilities such as CVE‑2023‑1389 to gain remote shell access. Once established, RondoDox maintains persistence through device‑specific methods, such as Linux crontab entries or firmware tampering, allowing it to survive reboots. Recent campaigns use a “loader‑as‑a‑service” model to distribute RondoDox alongside Mirai variants, increasing its reach and complexity. The botnet’s “exploit shotgun” strategy, reusing exploits from events like Pwn2Own, highlights a shift toward multi-vector IoT targeting. Analysts recommend immediate patching of affected devices, active monitoring for anomalous traffic, and network segmentation to limit further compromise.
Payroll Pirate targets U.S. Universities Linked to Storm-2657
Microsoft’s Threat Intelligence team has discovered an ongoing cybercrime campaign called “payroll pirate,” targeting U.S. university payroll systems since March 2025. The financially motivated actor tracked as Storm-2657 infiltrates employee accounts through sophisticated phishing attacks that harvest multi-factor authentication (MFA) codes, leveraging adversary-in-the-middle (AiTM) tactics. Once inside, attackers breach Exchange Online and HR software such as Workday, manipulating inbox rules to conceal activity and altering direct deposit details to reroute salaries into accounts they control. Storm-2657’s phishing lures are highly convincing, masquerading as HR updates or health alerts and often embedding Google Docs links to evade filters in academic contexts. Microsoft observed 11 compromised employee accounts at three universities, which sent phishing emails to nearly 6,000 users across 25 institutions, covering topics such as illness exposures and faculty misconduct. Attackers further achieve persistence by registering their own phone numbers for MFA approval within victim profiles, ensuring ongoing, undetected access. Detection is challenging because malicious rules and modified payroll configurations are actively hidden from victims. Identifying attacks requires correlating signals across Exchange Online and Workday logs. Microsoft emphasizes that these incidents exploit MFA misconfigurations and weak user practices, not flaws in the Workday platform itself. The company recommends transitioning to phishing-resistant authentication such as FIDO2 security keys, passkeys, and Windows Hello, especially for privileged roles. In case of compromise, best practices include resetting credentials, removing rogue MFA devices, purging malicious mail rules, and promptly reversing unauthorized payroll changes. Universities are urged to enforce modern MFA controls and cross-system monitoring to protect employee accounts and payroll data against future attacks. This campaign underscores the urgent need for identity security upgrades and persistent vigilance in academic environments.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
