Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox.
As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an analysis.
React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices.
According to statistics from the Shadowserver Foundation, there are about 90,300 instances that remain susceptible to the vulnerability as of December 31, 2025, out of which 68,400 instances are located in the U.S., followed by Germany (4,300), France (2,800), and India (1,500).
RondoDox, which emerged in early 2025, has broadened its scale by adding new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893. It’s worth noting that the abuse of React2Shell to spread the botnet was previously highlighted by Darktrace, Kaspersky, and VulnCheck.
The RondoDox botnet campaign is assessed to have gone through three distinct phases prior to the exploitation of CVE-2025-55182 –
- March – April 2025 – Initial reconnaissance and manual vulnerability scanning
- April – June 2025 – Daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers
- July – early December 2025 – Hourly automated deployment on a large-scale
In the attacks detected in December 2025, the threat actors are said to have initiated scans to identify vulnerable Next.js servers, followed by attempts to drop cryptocurrency miners (“/nuts/poop”), a botnet loader and health checker (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”) on infected devices.
“/nuts/bolts” is designed to terminate competing malware and coin miners before downloading the main bot binary from its command-and-control (C2) server. One variant of the tool has been found to remove known botnets, Docker-based payloads, artifacts left from prior campaigns, and associated cron jobs, while also setting up persistence using “/etc/crontab.”
“It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors,” CloudSEK said.
To mitigate the risk posed by this threat, organizations are advised to update Next.js to a patched version as soon as possible, segment all IoT devices into dedicated VLANs, deploy Web Application Firewalls (WAFs), monitor for suspicious process execution, and block known C2 infrastructure.
