Login
So my honeypot just caught something interesting: RedTail malware hitting exposed Docker APIs on port 2375/tcp.
For context, RedTail is typically known for exploiting PHP vulnerabilities, PAN-OS, and Ivanti, but not a single vendor mentions Docker in their threat reports.
I did a pretty extensive research dive across:
What I confirmed:
Two theories:
Has anyone else seen similar activity?
Through our honeypot (https://github.com/mariocandela/beelzebub), Iβve identified a major evolution of the RondoDox botnet, first reported by FortiGuard Labs in 2024.
The newly discovered RondoDox v2 shows a dramatic leap in sophistication and scale:
πΊ +650% increase in exploit vectors (75+ CVEs observed)
πΊ New C&C infrastructure on compromised residential IPs
πΊ 16 architecture variants
πΊ Open attacker signature: bang2013@atomicmail[.]io
πΊ Targets expanded from DVRs and routers to enterprise systems
The full report includes:
- In-depth technical analysis (dropper, ELF binaries, XOR decoding)
- Full IOC list
- YARA and Snort/Suricata detection rules
- Discovery timeline and attribution insights
I've just published my analysis on RondoDox v2, and the numbers speak for themselves: +650% exploit vectors compared to v1 documented by FortiGuard Labs.
Key Findings:
- 15+ exploitation vectors (from 2 CVEs to enterprise-grade attacks)
- C&C on compromised residential IP (multiple AWS EC2)
- 16 architectures supported with XOR obfuscation (key: 0x21)
- Open attribution: [bang2013@atomicmail.io](mailto:bang2013@atomicmail.io)
π¨ What concerns me:
The jump from consumer DVR/routers to enterprise targets demonstrates an aggressive expansion strategy.
We're no longer talking about a "simple" DDoS botnet.
π’ IOCs and detection rules: YARA, Snort/Suricata and complete IOC list available in the full post.
FreshRSS 