RondoDoX Botnet Weaponizes React2Shell
Essential information
- Published
- 29/12/2025 19:53
- Modified
- 29/12/2025 21:51
- Tags
- 2025-12-29 botnet command and control cryptominer iot mirai next.js react2shell rondo rondodox vulnerability exploitation web application
- Related entities
- 7 observables, 1 intrusion sets (apt), 5 techniques (mitre)
Description
A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.