The RondoDox botnet has been noticed exploiting the vital React2Shell flaw (CVE-2025-55182) to contaminate weak Subsequent.js servers with malware and cryptominers.
First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets a number of n-day flaws in international assaults. In November, VulnCheck noticed new RondoDox variants that featured exploits for CVE-2025-24893, a vital distant code execution (RCE) vulnerability within the XWiki Platform.
A brand new report from cybersecurity firm CloudSEK notes that RondoDox began scanning for weak Subsequent.js servers on December 8 and started deploying botnet purchasers three days later.
React2Shell is an unauthenticated distant code execution vulnerability that may be exploited through a single HTTP request and impacts all frameworks that implement the React Server Parts (RSC) ‘Flight’ protocol, together with Subsequent.js.
The flaw has been leveraged by a number of risk actors to breach a number of organizations. North Korean hackers exploited React2Shell to deploy a brand new malware household named EtherRAT.
As of December 30, the Shadowserver Basis experiences detecting over 94,000 internet-exposed belongings weak to React2Shell.
CloudSEK says that RondoDox has handed by three distinct operational phases this yr:
- Reconnaissance and vulnerability testing from March to April 2025
- Automated internet app exploitation from April to June 2025
- Massive-scale IoT botnet deployment from July to immediately
Concerning React2Shell, the researchers report that RondoDox has targeted its exploitation across the flaw considerably currently, launching over 40 exploit makes an attempt inside six days in December.
Throughout this operational part, the botnet conducts hourly IoT exploitation waves concentrating on Linksys, Wavlink, and different shopper and enterprise routers to enroll new bots.
After probing doubtlessly weak servers, CloudSEK says that RoundDox began to deploy payloads that included a coinminer (/nuts/poop), a botnet loader and well being checker (/nuts/bolts), and a variant of Mirai (/nuts/x86).
The ‘bolts’ element removes competing botnet malware from the host, enforces persistence through /and so forth/crontab, and kills non-whitelisted processes each 45 seconds, the researchers say.
CloudSEK gives a set of suggestions for firms to guard towards this RondoDox exercise, amongst them auditing and patching Subsequent.js Server Actions, isolating IoT gadgets into devoted digital LANs, and monitoring for suspicious processes being executed.
Damaged IAM is not simply an IT downside – the affect ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM seems like, and a easy guidelines for constructing a scalable technique.
