CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

RondoDox Botnet Exploiting React2Shell Vulnerability

In December, the botnet’s operators focused on weaponizing the flaw to compromise vulnerable Next.js servers. The post RondoDox Botnet Exploiting React2Shell Vulnerability appeared first on SecurityWeek.

Botnet

Recent RondoDox botnet enrollment attacks have been targeting Next.js servers vulnerable to React2Shell, CloudSEK reports.

The targeted security defect, tracked as CVE-2025-55182, impacts systems relying on version 19 of the popular open source JavaScript library React, and which use React Server Components (RSC).

Publicly disclosed on December 3, 2025, React2Shell also impacts frameworks that leverage React, such as Next.js, React Router, RedwoodSDK, and Waku.

The bug allows unauthenticated attackers to send specially crafted HTTP requests to React Server Function endpoints and achieve remote code execution (RCE).

Exploitation of the flaw started within days of public disclosure and was initially associated with China-linked threat groups. A week later, multiple threat actors were seen targeting vulnerable instances.

According to CloudSEK, the RondoDox botnet’s operators joined the fray during that timeframe, and for the past three weeks have focused on exploiting Next.js instances affected by React2Shell.

Between December 8 and 16, they were seen scanning for vulnerable servers through blind RCE testing. On December 13, they started deploying malicious payloads.

The RondoDox operators were seen dropping a botnet support framework designed to purge the host of other botnets and cryptocurrency miners, deploy the bot client, and establish persistence. A miner and a Mirai variant were also installed on the compromised systems.

While the botnet’s React2Shell exploitation activity involved a Linux-focused payload, RondoDox is known for taking an exploit shotgun approach to infecting devices.

The first exploitation attempts associated with the botnet, CloudSEK says, occurred in March 2025, while systematic vulnerability scanning started in early April.

The operators engaged in widespread vulnerability probing between April and June and started the bot client’s deployment in July.

Since then, they have been ensnaring internet-facing routers, IP cameras, and network appliances into the botnet, using payloads for x86, x86_64, MIPS, ARM, and PowerPC architectures.

In addition to exploiting web applications for initial access, RondoDox attacks involve credential theft and lateral movement, CloudSEK notes.

Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Related: ‘Kimwolf’ Android Botnet Ensnares 1.8 Million Devices

Related: New ‘Broadside’ Botnet Poses Risk to Shipping Companies

Related: Exploitation of React2Shell Surges

Latest News

CYBERNEWSMEDIAPublisher