RondoDox Botnet Expands Through React2Shell Exploit, Exposing Thousands of IoT and Web Systems

Listen to this Post

Featured Image

A Silent Campaign Growing in the Background

A long-running cyber campaign has quietly expanded across the global internet, targeting Internet of Things devices and modern web applications with increasing precision. Security researchers have now confirmed that the RondoDox botnet has operated for at least nine months, steadily building infrastructure capable of large-scale abuse. The campaign gained renewed momentum after attackers began exploiting a critical vulnerability known as React2Shell, allowing them to remotely execute code on exposed systems without authentication.

A Vulnerability That Opened the Door

React2Shell, tracked as CVE-2025-55182 with a severity score of 10.0, affects React Server Components and Next.js deployments. The flaw enables attackers to remotely execute commands on vulnerable servers, effectively handing over full control. By December 2025, this weakness became a primary access vector for RondoDox, significantly amplifying its reach across internet-facing infrastructure.

The Scale of Exposure Worldwide

Data from the Shadowserver Foundation shows that more than 90,300 systems remain exposed to this vulnerability. The United States accounts for the largest share with approximately 68,400 affected instances. Germany follows with 4,300, while France and India account for 2,800 and 1,500 respectively. These figures illustrate how deeply modern application frameworks are embedded across critical digital environments.

The Rise of RondoDox

RondoDox first emerged in early 2025 and quickly demonstrated an ability to evolve. The botnet expanded its toolkit by incorporating previously disclosed vulnerabilities such as CVE-2023-1389 and CVE-2025-24893. Security firms including Darktrace, Kaspersky, and VulnCheck previously observed the group experimenting with React2Shell before its widespread exploitation.

A Campaign Built in Phases

The operation unfolded in three distinct phases that reveal careful planning rather than opportunistic scanning.
March to April 2025 focused on reconnaissance and manual vulnerability discovery.
April to June 2025 marked aggressive probing of popular platforms such as WordPress, Drupal, Struts2, and IoT devices like Wavlink routers.
July through early December 2025 saw a shift to full automation, enabling hourly mass deployment at scale.

Weaponized Automation Takes Over

By December 2025, attackers had fully automated the infection chain. They scanned for vulnerable Next.js servers and deployed multiple payloads with specialized roles. These included cryptocurrency miners labeled “/nuts/poop,” a loader and system checker known as “/nuts/bolts,” and a Mirai-based botnet component labeled “/nuts/x86.”

The Role of the Loader

The “/nuts/bolts” component plays a central role in maintaining dominance over infected systems. It actively removes competing malware, eliminates existing coin miners, and cleans artifacts left behind by earlier campaigns. It also ensures persistence by modifying system scheduling files such as /etc/crontab.

Aggressive Process Control

One of the most concerning capabilities involves continuous monitoring of running processes. The loader scans the /proc directory every 45 seconds and terminates any non-whitelisted process. This behavior prevents reinfection by rival threat actors and ensures exclusive control of the compromised host.

Infrastructure Built for Longevity

This approach reflects a shift toward professionalized botnet operations. RondoDox does not merely infect systems; it manages them. By maintaining clean operational environments, attackers extend the lifespan and reliability of their botnet, making takedown efforts significantly more complex.

Defensive Measures Under Pressure

Security experts recommend immediate upgrades to patched versions of Next.js. Additional steps include isolating IoT devices into dedicated VLANs, deploying web application firewalls, monitoring unusual process behavior, and blocking known command-and-control infrastructure associated with RondoDox.

the Campaign

The RondoDox operation highlights a maturing threat landscape where automation, persistence, and stealth converge. Leveraging React2Shell allowed attackers to compromise thousands of systems with minimal resistance. The campaign demonstrates how quickly modern vulnerabilities can be weaponized when patch adoption lags behind disclosure.

What Undercode Say:

The RondoDox campaign reflects a broader shift in cybercrime economics. Attackers are no longer racing for noisy dominance but are building stable digital real estate. By eliminating competitors and maintaining clean persistence, RondoDox operators treat compromised devices like managed assets rather than disposable tools.

The abuse of React2Shell signals a deeper issue with modern development frameworks. Convenience-driven architectures often prioritize speed and flexibility over isolation. When flaws appear, they expose entire ecosystems rather than isolated services. This amplifies risk far beyond traditional server compromises.

What makes this campaign particularly concerning is its patience. Nine months of structured growth suggests long-term monetization strategies, possibly involving proxy abuse, cryptomining, or resale of access. These operations resemble corporate infrastructure models rather than chaotic cybercrime.

The geographic distribution also reveals a troubling reality. Highly developed digital economies remain the most exposed, not because of weaker security, but due to scale and complexity. Larger attack surfaces create more opportunities for unnoticed exploitation.

RondoDox also demonstrates how automation now replaces human effort almost entirely. Once deployed, the botnet self-manages, self-defends, and self-expands. This reduces operational cost for attackers and increases resilience against takedown attempts.

The use of multi-stage payloads indicates advanced operational discipline. Each component has a single purpose, reducing errors and improving reliability. This modular design mirrors legitimate software engineering practices.

Defensive strategies must evolve accordingly. Static defenses and periodic audits are no longer sufficient. Continuous monitoring, behavioral analysis, and rapid patch adoption must become default practices rather than optional upgrades.

This campaign also reinforces the importance of transparency from security researchers. Early disclosure and shared intelligence remain the strongest counterbalance to coordinated threat actors.

RondoDox is not just another botnet. It represents a model that others will replicate. The longer such infrastructures operate undisturbed, the more normalized this level of cyber intrusion becomes.

Organizations that delay remediation are not only risking their own systems but also contributing to a wider ecosystem of abuse. The cost of inaction now extends far beyond individual networks.

Fact Checker Results

✅ React2Shell is confirmed as a critical vulnerability enabling remote code execution.
✅ RondoDox activity has been observed across multiple countries with verified telemetry.
❌ No public evidence confirms direct attribution to a nation-state actor.

Prediction

🔮 RondoDox-style botnets will increasingly target modern web frameworks rather than legacy systems.
🔮 Automated persistence tools will become standard across future malware families.
🔮 Organizations that delay patching will face longer recovery times and higher operational damage.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon