The RondoDox botnet is known for exploiting the significant React2Shell vulnerability (CVE-2025-55182) to compromise vulnerable Next.js servers by installing malware and cryptocurrency miners.

Initially reported by Fortinet in July 2025, RondoDox represents a widespread botnet that takes aim at numerous n-day vulnerabilities in its global attack campaigns. In November, VulnCheck identified new variants of RondoDox that include exploits for CVE-2025-24893, a serious remote code execution (RCE) flaw in the XWiki platform.

A recent study by cybersecurity firm CloudSEK indicates that RondoDox began scanning for susceptible Next.js servers on December 8 and initiated the deployment of botnet clients shortly thereafter, on December 11.

React2Shell presents an unauthenticated remote code execution vulnerability, which can be triggered with a single HTTP request. It affects any framework utilizing the React Server Components (RSC) ‘Flight’ protocol, including Next.js.

This vulnerability has been exploited by various threat actors to compromise numerous organizations. Notably, North Korean hackers leveraged React2Shell in deploying a malware variant named EtherRAT.

As reported by the Shadowserver Foundation on December 30, there are more than 94,000 exposed internet assets that are vulnerable to React2Shell.

According to CloudSEK, RondoDox has gone through three distinct operational phases this year:

• Reconnaissance and vulnerability evaluation from March to April 2025
• Automated web application exploitation from April to June 2025
• Extensive IoT botnet implementation from July to the present

Focusing on React2Shell, researchers reported that RondoDox has intensified its efforts to exploit this vulnerability, launching over 40 exploit attempts within just six days in December.

During this phase, the botnet conducts continuous IoT exploitation efforts, specifically targeting devices like Linksys and Wavlink routers to add new bots to its network.

After scanning for vulnerable servers, CloudSEK noted that RondoDox commenced deploying payloads, which included a cryptocurrency miner (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a Mirai variant (/nuts/x86).

The ‘bolts’ component is designed to eliminate competing botnet malware from the host while ensuring persistence via /etc/crontab and terminating non-whitelisted processes every 45 seconds, according to researchers.

To protect against this RondoDox activity, CloudSEK recommends that companies consider auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and monitoring for unusual process executions.

Broken IAM isn’t just an IT issue – its repercussions affect your entire business.

This actionable guide explores why traditional IAM practices fail in modern contexts, showcases examples of effective IAM, and provides a straightforward checklist for creating a scalable approach.

Get the guide