TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

2025-11-24 · Read original ↗

ATT&CK techniques detected

15 predictions
T1105Ingress Tool Transfer
99%
"by the same malware ), and then attempts to download malware of a specific platform type, and attempt to execute it, renaming and deleting these files as needed. this entire section is repeated many times, once for each architecture noted in table 4 above. mkdir lib ( chmod 755 l…"
T1190Exploit Public-Facing Application
98%
"of tools, via the use of chained commands that try one command, then another, and then another, such as we can see here with the use of wget, then curl, then busybox. along with that, the attempts to download and execute a wide variety of second stages to find one that runs, with…"
T1190Exploit Public-Facing Application
97%
"endpoints. - cve - 2020 - 10987 : the setusbunload endpoint in tenda ac15 and ac1900 routers contains a command injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary system commands. - cve - 2020 - 9054 : a command injection vulnerability in …"
T1190Exploit Public-Facing Application
96%
"their router firmware and consider replacing older devices that may no longer receive updates. cve - 2024 - 4577, an apache php - cgi argument injection rce, has seen a significant increase in activity. this vulnerability can be exploited to execute arbitrary commands on a server…"
T1190Exploit Public-Facing Application
95%
"top five, with 2, 183 and 2, 154 attempts, respectively. notably, cve - 2025 - 31324, a relatively new vulnerability, has entered the top 10, indicating its growing exploitation. meanwhile, cve - 2020 - 8958 experienced a sharp decline, dropping seven ranks. table 7 : top 10 cves…"
T1190Exploit Public-Facing Application
89%
"execute arbitrary commands as the root user. - cve - 2023 - 23333 : a command injection vulnerability in downloader. php within solarview compact devices allows an unauthenticated remote attacker to execute arbitrary commands. - cve - 2023 - 41011 : a command execution vulnerabil…"
T1190Exploit Public-Facing Application
79%
"strings seen related to this threat actor. rondodox conclusion of course, this actor isn ’ t necessarily targeting advanced organizations with highly capable defenses. rather, this is an attempt to build a botnet out of iot and other unprotected linux - based devices, using well …"
T1190Exploit Public-Facing Application
60%
". - cve - 2025 - 4008 : a command injection vulnerability in the web interface of meteobridge allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges. - cve - 2025 - 9528 : a vulnerability in the linksys e1700 router ' s systemcommand function…"
T1059.006Python
59%
". - cve - 2025 - 4008 : a command injection vulnerability in the web interface of meteobridge allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges. - cve - 2025 - 9528 : a vulnerability in the linksys e1700 router ' s systemcommand function…"
T1587.004Exploits
51%
"as the most exploited cve, with a notable increase in activity compared to the previous month. cve - 2023 - 1389 remains in second place, showing steady activity. cve - 2024 - 4577 has climbed to third place, overtaking cve - 2019 - 9082 and cve - 2022 - 24847, which now occupy t…"
T1105Ingress Tool Transfer
43%
". aarch64 *. i486 *. i586 *. i686 *. x86 *. x86 _ 64 *. x86 _ 32 *. m68k *. mips *. mipsel *. mpsl *. powerpc *. ppc *. powerpc - 440fp *. sh4 *. sparc *. spc *. csky ; rm - f / var / tmp /. t echo > / media /. t & & cd / media ; rm - f / media /. t echo > / usr / bin /. t & & cd…"
T1070.004File Deletion
41%
"& & kill - 9 " $ pid " & & break ; # if the process runs a binary in one of these directories, kill it done ; done the script then attempts disable selinux and apparmor protections, remount the ‘ / ’ partition to be read - write, and various cache files. setenforce 0 service appa…"
T1584.005Botnet
35%
"tracking rondodox : malware exploiting many iot vulnerabilities the sensor intel series is created in partnership with efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry. additional insights and contributions provided by the f5 t…"
T1055.001Dynamic-link Library Injection
33%
". aarch64 *. i486 *. i586 *. i686 *. x86 *. x86 _ 64 *. x86 _ 32 *. m68k *. mips *. mipsel *. mpsl *. powerpc *. ppc *. powerpc - 440fp *. sh4 *. sparc *. spc *. csky ; rm - f / var / tmp /. t echo > / media /. t & & cd / media ; rm - f / media /. t echo > / usr / bin /. t & & cd…"
T1055.001Dynamic-link Library Injection
31%
"i586 *. i686 *. x86 *. x86 _ 64 *. x86 _ 32 *. m68k *. mips *. mipsel *. mpsl *. powerpc *. ppc *. powerpc - 440fp *. sh4 *. sparc *. spc *. csky ; rm - f / data / local / tmp /. t echo > / run / user / 0 /. t & & cd / run / user / 0 & & rm - f arc arm arm4 arm5 arm6 arm7 arm8 aa…"

Summary

Over a dozen exploits were used to target IoT devices.