An analysis conducted by Cybersecurity experts has revealed that there is a nine-month continuity for the exploitation of many Internet of Things (IoT) devices and web applications that have been enrolled into an automated botnet called RondoDox. The malicious group has taken advantage of CVE-2025-55182 (CVSS 10.0) React2Shell to perform un-authenticated remote execution of code using React Server Components (RSC) and Next.js.
According to Shadowserver Foundation, as of December 2025, there are about 90,300 potentially vulnerable instances in the world with the majority being located in the USA at 68,400, followed by Germany at 4,300, France at 2,800 and India at 1,500.
Since the beginning of 2025, the RondoDox group has operated as a cyber attack group using at least seven different N-day vulnerabilities. Among the many different N-day vulnerabilities they utilized include CVE-2023-1389 and CVE-2025-24893.
Beginning in March of 2025 the RondoDox group performed their operations in three main phases:
Phase 1: March to April 2025: Performed a manual scanning and reconnaissance which included identifying potential vulnerable targets.
Phase 2: April to June 2025: Performed daily mass scanning of applications (Web applications such as WordPress, Drupal and Struts2) and IoT devices (Wavlink routers) in order to identify vulnerability.
Phase 3: July 2025 to December 2025: Utilized an automated deployment process to perform their cyber operations on a continuous basis every hour.
Attack Techniques
Infected devices are loaded with:
1. Cryptocurrency miners (/nuts/poop)
2. Botnet loader & health checker (/nuts/bolts)
3. Mirai botnet variants (/nuts/x86)
The /nuts/bolts tool terminates competing malware and miners, removes Docker-based payloads, cleans artifacts from prior infections, sets up persistence via /etc/crontab, and whitelists trusted processes to prevent reinfection.
"It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing rival actors from reinfecting," CloudSEK said.
Mitigation Recommendations
Organizations are advised to:
1. Update Next.js to the latest patched version.
2. Segment IoT devices into dedicated VLANs.
3. Deploy Web Application Firewalls (WAFs).
4. Monitor for suspicious process execution.
5. Block known RondoDox C2 infrastructure.
Source: The Hacker News
January 01, 2026
January 01, 2026
January 01, 2026
January 11, 2026
November 08, 2024
January 18, 2026
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
