Jan 01, 2026Ravie LakshmananNetwork Safety / Vulnerability
Cybersecurity researchers have disclosed particulars of a persistent nine-month-long marketing campaign that has focused Web of Issues (IoT) gadgets and net functions to enroll them right into a botnet often called RondoDox.
As of December 2025, the exercise has been noticed leveraging the not too long ago disclosed React2Shell (CVE-2025-55182, CVSS rating: 10.0) flaw as an preliminary entry vector, CloudSEK stated in an evaluation.
React2Shell is the title assigned to a vital safety vulnerability in React Server Parts (RSC) and Subsequent.js that would permit unauthenticated attackers to attain distant code execution on prone gadgets.
In response to statistics from the Shadowserver Basis, there are about 90,300 situations that stay prone to the vulnerability as of December 31, 2025, out of which 68,400 situations are positioned within the U.S., adopted by Germany (4,300), France (2,800), and India (1,500).
RondoDox, which emerged in early 2025, has broadened its scale by including new N-day safety vulnerabilities to its arsenal, together with CVE-2023-1389 and CVE-2025-24893. It is value noting that the abuse of React2Shell to unfold the botnet was beforehand highlighted by Darktrace, Kaspersky, and VulnCheck.
The RondoDox botnet marketing campaign is assessed to have gone via three distinct phases previous to the exploitation of CVE-2025-55182 –
March – April 2025 – Preliminary reconnaissance and guide vulnerability scanning
April – June 2025 – Every day mass vulnerability probing of net functions like WordPress, Drupal, and Struts2, and IoT gadgets like Wavlink routers
July – early December 2025 – Hourly automated deployment on a large-scale
Within the assaults detected in December 2025, the risk actors are stated to have initiated scans to determine weak Subsequent.js servers, adopted by makes an attempt to drop cryptocurrency miners (“/nuts/poop”), a botnet loader and well being checker (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”) on contaminated gadgets.
“/nuts/bolts” is designed to terminate competing malware and coin miners earlier than downloading the principle bot binary from its command-and-control (C2) server. One variant of the instrument has been discovered to take away identified botnets, Docker-based payloads, artifacts left from prior campaigns, and related cron jobs, whereas additionally organising persistence utilizing “/and many others/crontab.”
“It constantly scans /proc to enumerate operating executables and kills non-whitelisted processes each ~45 seconds, successfully stopping reinfection by rival actors,” CloudSEK stated.
To mitigate the danger posed by this risk, organizations are suggested to replace Subsequent.js to a patched model as quickly as doable, phase all IoT gadgets into devoted VLANs, deploy Net Software Firewalls (WAFs), monitor for suspicious course of execution, and block identified C2 infrastructure.
