vulnerability🌐InternationalThe Hacker News
RondoDox Botnet Leverages React2Shell Flaw to Target IoT, Web Apps
Thursday, January 1, 2026
What
A persistent RondoDox botnet campaign has been actively exploiting critical vulnerabilities like React2Shell (CVE-2025-55182) to compromise IoT devices and web applications. This matters because the botnet establishes robust persistence mechanisms and deploys additional malicious payloads, including cryptocurrency miners and Mirai variants, across a large, unpatched attack surface.
Where
Primarily Next.js servers, IoT devices, and web applications like WordPress, Drupal, and Struts2. Affected countries include the U.S., Germany, France, and India.
When
Campaign emerged early 2025, with exploitation of React2Shell observed in December 2025.
Key Factors
- •The RondoDox botnet campaign has evolved through three distinct phases, escalating from initial reconnaissance to hourly automated large-scale deployment by late 2025.
- •The botnet loader, "/nuts/bolts," demonstrates sophisticated anti-reinfection capabilities by terminating competing malware, removing prior campaign artifacts, and continuously killing non-whitelisted processes.
- •A critical aspect is the widespread susceptibility to React2Shell (CVE-2025-55182), with over 90,000 instances remaining vulnerable, creating a significant attack surface for RondoDox.
Takeaways
- →Immediately update Next.js to a patched version and deploy Web Application Firewalls (WAFs) to protect against React2Shell (CVE-2025-55182) exploitation.
- →Implement network segmentation for all IoT devices into dedicated VLANs and monitor for suspicious process execution to detect and prevent botnet activity.
Read Full Article
Opens original article on The Hacker News
