- A persistent nine-month campaign enrolled IoT devices and web apps into the RondoDox botnet using multiple vulnerabilities, including React2Shell (CVE-2025-55182).
- About 90,300 vulnerable instances remain exposed globally, with 68,400 in the U.S.
- The campaign used staged activity—reconnaissance, mass probing, and large-scale hourly deployment—and dropped miners, loaders, and a Mirai variant.
- Defenses include patching Next.js, isolating IoT devices, deploying WAFs, monitoring processes, and blocking known C2 infrastructure.
Cybersecurity teams disclosed a nine-month campaign that recruited Internet of Things devices and web applications into the RondoDox botnet through late 2025. The activity used the critical React2Shell vulnerability (CVE-2025-55182) to gain remote code execution on exposed servers, CloudSEK said. The campaign also added older N-day flaws such as CVE-2023-1389 and CVE-2025-24893.
Data from the Shadowserver Foundation show roughly 90,300 instances vulnerable as of December 31, 2025, with 68,400 located in the U.S. Germany, France, and India followed in count.
Researchers mapped three phases of the campaign: March–April 2025 reconnaissance and manual scans; April–June daily mass probing of web apps (WordPress, Drupal, Struts2) and IoT devices like Wavlink routers; and July–early December large-scale automated hourly deployment. The abuse of React2Shell was previously flagged by Darktrace here and noted by other security firms.
In December 2025 infections, actors scanned for vulnerable Next.js servers and attempted to drop cryptocurrency miners and bot components at paths such as "/nuts/poop", "/nuts/bolts", and "/nuts/x86". The "/nuts/bolts" tool removes competing Malware and miners, clears prior campaign artifacts, and installs persistence via "/etc/crontab". As described by CloudSEK, "It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors."
Recommended mitigations include updating Next.js to patched versions, segmenting IoT devices into dedicated VLANs, deploying Web Application Firewalls, monitoring for suspicious process execution, and blocking known command-and-control infrastructure.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- 2026 Boom Looms: Tokenization, AI, Fed Cuts Fuel US Markets!
- Tether Picks Up 8,888 BTC, Boosts Reserve to 96,000+ BTC Now
- Trader Claims $1M Win After BROCCOLI714 Pump on Binance Now!
- Bitwise CIO: Bitcoin’s Wild Days End, Steady Gains From 2026
- Crypto comebacks: pardons, privacy coins, Ripple surge 2026!
