InfoSecBulletin Cybersecurity for mankind
The RondoDox botnet is using the serious React2Shell vulnerability (CVE-2025-55182) to infect unprotected Next.js servers with malware and cryptominers.
RondoDox, a large-scale botnet first reported by Fortinet in July 2025, targets various n-day vulnerabilities in global attacks. In November, VulnCheck discovered new variants of RondoDox that exploit the critical remote code execution vulnerability CVE-2025-24893 in the XWiki Platform.
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
CloudSEK’s latest report reveals that RondoDox began scanning for vulnerable Next.js servers on December 8 and deployed botnet clients three days later.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement the React Server Components (RSC) ‘Flight’ protocol, including Next.js.
Several threat actors used the flaw to attack multiple organizations. North Korean hackers exploited React2Shell to deploy new malware called EtherRAT.
As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell.
CloudSEK says that RondoDox has passed through three distinct operational phases this year:
Reconnaissance and vulnerability testing from March to April 2025
Automated web app exploitation from April to June 2025
Large-scale IoT botnet deployment from July to today
RondoDox has recently centered its attacks on the flaw, attempting over 40 exploits in six days in December.
The botnet conducts hourly attacks on Linksys, Wavlink, and other routers to add new devices.
After probing potentially vulnerable servers, CloudSEK says that RoundDox started to deploy payloads that included a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a variant of Mirai (/nuts/x86).
The ‘bolts’ component eliminates rival botnet malware, ensures persistence through /etc/crontab, and terminates non-whitelisted processes every 45 seconds, according to researchers.
CloudSEK offers recommendations for companies to safeguard against RondoDox activities. These include auditing and patching Next.js Server Actions, isolating IoT devices on separate virtual LANs, and monitoring for suspicious processes.
