BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

RondoDox Botnet Exploits React2Shell to Widen IoT Infections

RondoDox campaign weaponizes React2Shell to recruit 90,300 web apps and IoT devices—dropping miners, loaders and Mirai; patch Next.js and segment IoT.

  • A persistent nine-month campaign enrolled IoT devices and web apps into the RondoDox botnet using multiple vulnerabilities, including React2Shell (CVE-2025-55182).
  • About 90,300 vulnerable instances remain exposed globally, with 68,400 in the U.S.
  • The campaign used staged activity—reconnaissance, mass probing, and large-scale hourly deployment—and dropped miners, loaders, and a Mirai variant.
  • Defenses include patching Next.js, isolating IoT devices, deploying WAFs, monitoring processes, and blocking known C2 infrastructure.

Cybersecurity teams disclosed a nine-month campaign that recruited Internet of Things devices and web applications into the RondoDox botnet through late 2025. The activity used the critical React2Shell vulnerability (CVE-2025-55182) to gain remote code execution on exposed servers, CloudSEK said. The campaign also added older N-day flaws such as CVE-2023-1389 and CVE-2025-24893.

- Advertisement -

Data from the Shadowserver Foundation show roughly 90,300 instances vulnerable as of December 31, 2025, with 68,400 located in the U.S. Germany, France, and India followed in count.

Researchers mapped three phases of the campaign: March–April 2025 reconnaissance and manual scans; April–June daily mass probing of web apps (WordPress, Drupal, Struts2) and IoT devices like Wavlink routers; and July–early December large-scale automated hourly deployment. The abuse of React2Shell was previously flagged by Darktrace here and noted by other security firms.

In December 2025 infections, actors scanned for vulnerable Next.js servers and attempted to drop cryptocurrency miners and bot components at paths such as "/nuts/poop", "/nuts/bolts", and "/nuts/x86". The "/nuts/bolts" tool removes competing Malware and miners, clears prior campaign artifacts, and installs persistence via "/etc/crontab". As described by CloudSEK, "It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors."

Recommended mitigations include updating Next.js to patched versions, segmenting IoT devices into dedicated VLANs, deploying Web Application Firewalls, monitoring for suspicious process execution, and blocking known command-and-control infrastructure.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Nvidia Stock Rises 4% to $210, BofA Target $350

NVIDIA stock (NASDAQ: NVDA) opened Monday at $210 after a 4% gain on Friday,...

Bank of Thailand scans stablecoin trades for illicit finance

The Bank of Thailand is using data analytics to scan for abnormally high-volume trades...

RWAs Overtake Bitcoin as Hyperliquid’s Largest Open Interest

Hyperliquid's RWA perpetuals hit a record $3.6 billion in open interest, overtaking Bitcoin and...

SK Hynix ADR gains vanish in under a day

SK Hynix's ADRs rose 12.7% on Nasdaq debut Friday but the entire gain was...

Binance futures hit 2026 high as spot market lags

Binance recorded $1.6 trillion in futures trading volume in June, its highest level of...

Must Read

9 Best Trading Platforms for Crypto Beginners

Many newcomers to the crypto space are looking for platforms to buy, sell and exchange cryptocurrencies. While there are hundreds of crypto exchanges around...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading