RondoDox Botnet Operators Set React2Shell Flaw in Their Sights
The bad actors behind the RondoDox botnet are showing themselves to be highly adaptable and able to embrace changing attack trends, with the recent discovery of their targeting the high-profile React2Shell vulnerability as an initial access route
10 Identity and Credential Risk Questions for 2026
The bad actors behind the RondoDox botnet are showing themselves to be highly adaptable and able to embrace changing attack trends, with the recent discovery of their targeting the high-profile React2Shell vulnerability as an initial access route being the latest example.Security researchers with CloudSEK and Rewterz both wrote in recent reports that the RondoDox botnet operators were among the large number of nation-state and financially motivated threat groups that converged on the maximum-severity flaw – tracked as CVE-2025-55182 – within days of it being disclosed.It’s the latest avenue pursued by the threat actors since the RondoDox campaign began earlier last year, according to the researchers, who added that the campaign has progressed through three distinct phases.“The activity spans from March 2025 to December 2025, showing quick adaptation to latest trends in attacks by the threat actor group, not limiting themselves to deploying botnet payloads, web shells, and cryptominers – but also weaponizing the latest Next.js vulnerability,” the CloudSEK researchers wrote.Rewterz researchers added in their report that “active since early 2025, the campaign has steadily expanded in scale and sophistication, leveraging both newly disclosed and previously known vulnerabilities to compromise systems.”Highly Exploitable FlawThe security flaw in the React Server Components (RSC), which was disclosed December 3 and comes a severity rating of 10, with security analysts warning that the broad popularity of RSC and the frameworks that use it combined with the ease of exploiting the vulnerability made it particularly dangerous. Wiz researchers said that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to React2Shell.Next.js is one of those frameworks, as are React Router, RedwoodSDK, and Waku.CloudSEK researchers divided the nine-month RondoDox campaign into three phases, with the first running from March to April and involving reconnaissance and vulnerability testing. They saw more than 80 exploitation attempts on April 3. The second phase stretched from April to June and featured daily automated scans and mass vulnerability scanning.The last phase ran from July to December, and included not only the emergence of the RondoDox infrastructure but also the introduction of a new command-and-control (C2) server and the exploitation of React2Shell with vulnerable Next.js servers. The Next.js vulnerability stretched from December 8 to 16, with the deployment of the IoT botnet via Node.js from December 13 to now.IoT Devices, Web Applications Targeted“Organizations with internet-facing routers (DLink, TP-Link, Netgear, Linksys, ASUS), IP cameras, and network appliances face automated hourly exploitation attempts, leading to potential botnet enrollment, DDoS participation, and cryptomining operations on corporate infrastructure,” the CloudSEK researchers wrote. “Enterprises running Next.js Server Actions (especially versions vulnerable to prototype pollution attacks) face critical RCE [remote code execution] exposure with active exploitation observed recently. The vulnerability allows complete server compromise through deserialization flaws in Server Actions.”They wrote that the Rondo botnet is the “primary malware family with 10+ variants,” that Next.js RCE was the dominant attack vector in December, and that there were more than 40 repeat attacks on the same vulnerability between December 13, 2025, and now.The botnet also targets a range of platforms when collecting IoT and other devices, including those with x86, x86_64, MIPS, ARM, and PowerPC architectures.‘Hourly Automated Exploitation’Rewterz researchers likewise saw a similar three-phase campaign, with reconnaissance and scanning running in March and April, daily mass probing for vulnerabilities on such web platforms as WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers (April to June), and “hourly automated exploitation at scale from July through early December 2025.”In December, “threat actors scanned for vulnerable Next.js servers and deployed multiple payloads, including cryptocurrency miners, a botnet loader and health-check component, and a Mirai-based botnet variant,” they wrote.The researchers added that “one loader module aggressively removes competing malware, terminates non-whitelisted processes every 45 seconds, establishes persistence via cron jobs, and prevents reinfection by rival actors.”The danger is widespread, according to Retwertz researchers, who said there are some 90,300 instances of exposed and vulnerable servers around the world. Most are in the United States, though there are others in such countries as Germany, France, and India.
About Author
