A sophisticated cyber threat group, known as the RondoDoX botnet, has intensified its campaign by aggressively exploiting newly discovered vulnerabilities in web applications and Internet of Things (IoT) devices. Analysis of command-and-control logs from March to December 2025 reveals a persistent and escalating strategy to compromise enterprise infrastructure, deploying cryptominers and botnet payloads across diverse network environments.
This cyber threat group’s operations, meticulously tracked by cybersecurity researchers, demonstrate a multi-stage infection process that begins with broad scanning for vulnerable systems. The RondoDoX botnet has evolved significantly, moving from manual vulnerability testing to automated daily and eventually hourly exploitation attempts, indicating a high level of commitment and resource allocation towards achieving widespread compromise.
RondoDoX Botnet Exploits Critical React2Shell Vulnerability
CloudSEK analysts identified the RondoDoX botnet through routine scans of malicious infrastructure, uncovering six command-and-control (C2) servers that shared overlapping operational periods. The investigation revealed at least ten distinct botnet variants actively deployed on compromised systems, with command logs providing detailed insights into the attackers’ methods and infrastructure usage throughout the nine-month campaign.
A significant escalation in the RondoDoX botnet’s tactics was observed in December 2025. During this period, threat actors began weaponizing a critical vulnerability within Next.js, a popular open-source JavaScript framework, to deploy React2Shell payloads. This adaptation signifies the group’s agility in incorporating zero-day or rapidly disclosed security flaws into their attack arsenal.
Attack Chain and Payload Delivery
The RondoDoX botnet’s attack chain commences with the identification of vulnerable servers through blind remote code execution testing. Following successful exploitation, the attackers deploy ELF binaries that subsequently download malicious payloads from active C2 infrastructure. This approach ensures a flexible and robust delivery mechanism for their malware.
Once established on a compromised host, the RondoDoX botnet employs sophisticated techniques for persistence and evasion. It configures cron jobs within system files to maintain access and proactively terminates competing malware to secure system resources for its own operations. The deployed payloads include cryptominers, designed to generate revenue for the threat actors, and support frameworks enabling long-term control over victim systems.
The botnet’s compatibility with multiple processor architectures, including x86, x86_64, MIPS, ARM, and PowerPC, allows for broad deployment across heterogeneous enterprise environments. Moreover, it utilizes multiple fallback download mechanisms, leveraging protocols such as wget, curl, tftp, and ftp, to ensure successful payload delivery even in challenging network conditions.
Mitigation and Defense Strategies
Organizations utilizing internet-facing routers, cameras, and applications leveraging Next.js Server Actions are particularly at risk from the RondoDoX botnet campaign. Immediate patching of vulnerable applications and timely security updates are paramount to closing potential entry points exploited by this threat actor.
Essential defensive measures include robust network segmentation to limit the lateral movement of malware within an organization’s network. The deployment of Web Application Firewalls (WAFs) can provide an additional layer of protection against web-based attacks. Continuous monitoring for suspicious process execution, particularly in temporary directories, is also crucial for early detection.
Furthermore, blocking identified command-and-control infrastructure at perimeter firewalls offers critical short-term protection against ongoing exploitation attempts. By proactively identifying and neutralizing C2 communication channels, organizations can disrupt the botnet’s ability to receive commands and deliver payloads.
The ongoing evolution of the RondoDoX botnet and its utilization of emerging vulnerabilities underscore the need for continuous vigilance and adaptation in cybersecurity defenses. Organizations should remain informed about the latest threats and recommended security practices to safeguard their infrastructure against sophisticated and persistent attackers.