Current RondoDox botnet enrollment assaults have been focusing on Subsequent.js servers susceptible to React2Shell, CloudSEK reviews.
The focused safety defect, tracked as CVE-2025-55182, impacts programs counting on model 19 of the favored open supply JavaScript library React, and which use React Server Parts (RSC).
Publicly disclosed on December 3, 2025, React2Shell additionally impacts frameworks that leverage React, equivalent to Subsequent.js, React Router, RedwoodSDK, and Waku.
The bug permits unauthenticated attackers to ship specifically crafted HTTP requests to React Server Perform endpoints and obtain distant code execution (RCE).
Exploitation of the flaw began inside days of public disclosure and was initially related to China-linked risk teams. Per week later, a number of risk actors had been seen focusing on susceptible situations.
Based on CloudSEK, the RondoDox botnet’s operators joined the fray throughout that timeframe, and for the previous three weeks have centered on exploiting Subsequent.js situations affected by React2Shell.
Between December 8 and 16, they had been seen scanning for susceptible servers by means of blind RCE testing. On December 13, they began deploying malicious payloads.
The RondoDox operators had been seen dropping a botnet assist framework designed to purge the host of different botnets and cryptocurrency miners, deploy the bot consumer, and set up persistence. A miner and a Mirai variant had been additionally put in on the compromised programs.Commercial. Scroll to proceed studying.
Whereas the botnet’s React2Shell exploitation exercise concerned a Linux-focused payload, RondoDox is thought for taking an exploit shotgun method to infecting units.
The primary exploitation makes an attempt related to the botnet, CloudSEK says, occurred in March 2025, whereas systematic vulnerability scanning began in early April.
The operators engaged in widespread vulnerability probing between April and June and began the bot consumer’s deployment in July.
Since then, they’ve been ensnaring internet-facing routers, IP cameras, and community home equipment into the botnet, utilizing payloads for x86, x86_64, MIPS, ARM, and PowerPC architectures.
Along with exploiting internet purposes for preliminary entry, RondoDox assaults contain credential theft and lateral motion, CloudSEK notes.
Associated: Google Sees 5 Chinese language Teams Exploiting React2Shell for Malware Supply
Associated: ‘Kimwolf’ Android Botnet Ensnares 1.8 Million Gadgets
Associated: New ‘Broadside’ Botnet Poses Danger to Delivery Firms
Associated: Exploitation of React2Shell Surges
