RondoDoX Botnet Weaponizes React2Shell

Dec. 29, 2025, 9:51 p.m.

Description

A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.

External References

https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell
https://otx.alienvault.com/pulse/6952dc1e4da675337033a2e2
Tags
iot
botnet
mirai
cryptominer
vulnerability exploitation
command and control
next.js
rondodox
react2shell
2025-12-29
rondo
web application

Date

  • Created: Dec. 29, 2025, 7:53 p.m.
  • Published: Dec. 29, 2025, 7:53 p.m.
  • Modified: Dec. 29, 2025, 9:51 p.m.

Indicators

  • 50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e
  • 895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b
  • 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb
  • 8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e
  • 89.144.31.18
  • 70.184.13.47
  • 38.59.219.27
Download all indicators here!

Attack Patterns

  • RondoDoX