Executive Summary

The RondoDox botnet has rapidly emerged as a significant threat to organizations leveraging Next.js and React Server Components, exploiting the critical React2Shell vulnerability (CVE-2025-55182). This pre-authentication remote code execution (RCE) flaw enables unauthenticated attackers to execute arbitrary code on vulnerable servers via a single HTTP request. Since early December 2025, threat actors have orchestrated large-scale, automated exploitation campaigns, resulting in the deployment of cryptominers, Mirai-based malware, and persistent botnet loaders across enterprise and consumer infrastructure. The attack surface is broad, with over 94,000 internet-exposed assets reported vulnerable, and exploitation observed across multiple sectors and geographies. Immediate patching and comprehensive monitoring are imperative to mitigate ongoing risk.

Threat Actor Profile

The RondoDox botnet is characterized by its opportunistic, highly automated exploitation of n-day vulnerabilities in web frameworks and IoT devices. First documented by Fortinet in July 2025, RondoDox leverages a modular architecture, enabling rapid adaptation to new vulnerabilities and deployment of diverse payloads. The botnet’s operators have demonstrated advanced operational security, employing frequent infrastructure rotation, process whitelisting, and aggressive removal of competing malware. Attribution remains uncertain, but the campaign’s scale and sophistication suggest a well-resourced criminal syndicate, with evidence of code and infrastructure reuse across other botnet families. Notably, North Korean and China-nexus advanced persistent threat (APT) groups have also exploited React2Shell for targeted intrusions, indicating the vulnerability’s appeal to both financially motivated and state-sponsored actors.

Technical Analysis of Malware/TTPs

The React2Shell vulnerability (CVE-2025-55182) stems from unsafe deserialization of untrusted data in React Server Components. Specifically, the flaw is triggered when HTTP requests to Server Function endpoints contain malicious payloads, which are deserialized without adequate validation, allowing arbitrary code execution in the context of the Next.js server process. The vulnerability affects React Server Components versions 19.0.0 through 19.2.0, and Next.js versions 15.0.0 through 16.0.6, including all canary builds, as well as the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages.

Upon successful exploitation, RondoDox deploys a multi-stage infection chain. The initial payload, typically retrieved from a hardcoded URI such as /nuts/bolts, acts as a loader and health checker. This component establishes persistence by modifying /etc/crontab to ensure execution on reboot and implements a process whitelisting mechanism, terminating non-botnet processes every 45 seconds to maintain exclusive control. Secondary payloads include a cryptominer (/nuts/poop) and a Mirai variant (/nuts/x86), both of which are executed in memory to evade disk-based detection. The cryptominer hijacks system resources for Monero mining, while the Mirai variant scans for additional vulnerable devices, propagating the botnet laterally.

Command and control (C2) communication is conducted over HTTP/HTTPS, with frequent infrastructure changes to evade blacklisting. The botnet employs domain generation algorithms (DGAs) and hardcoded IPs, including 74.194.191.52, 70.184.13.47, and 41.231.37.153, among others. Behavioral indicators include anomalous process execution from /tmp, /dev/shm, and /dev directories, frequent use of chmod 755/777, and outbound connections from non-browser processes to unrecognized IP addresses.

Exploitation in the Wild

Exploitation of React2Shell by RondoDox was first observed on December 8, 2025, with active payload deployment commencing three days later. Security researchers and honeypots have documented over 40 distinct exploit attempts within the first week, with attack frequency increasing to hourly waves targeting both Next.js servers and IoT devices such as Linksys and Wavlink routers. The Shadowserver Foundation reported more than 94,000 vulnerable assets exposed to the internet as of December 30, 2025.

The attack chain is fully automated, with reconnaissance, exploitation, and payload delivery orchestrated via distributed scanning infrastructure. The botnet’s loader component aggressively removes competing malware, ensuring resource monopolization for cryptomining and further propagation. Notably, the campaign has expanded beyond traditional web servers, compromising network-attached storage (NAS), IP cameras, and printers running embedded Next.js or React components.

Proof-of-concept (PoC) exploit code was publicly available on GitHub and the Openwall Security Mailing List, accelerating the pace of exploitation by both criminal and nation-state actors. The CISA Known Exploited Vulnerabilities (KEV) Catalog added CVE-2025-55182 within days of disclosure, underscoring the urgency of remediation.

Victimology and Targeting

The RondoDox campaign exhibits broad targeting, with a focus on organizations and individuals operating internet-facing Next.js applications and IoT devices. Affected sectors include technology, financial services, healthcare, education, and cloud service providers. The botnet’s propagation mechanisms have resulted in collateral compromise of consumer devices, particularly in regions with high adoption of Next.js and React frameworks.

Geographically, attacks have been reported in the United States, China, and globally across organizations with exposed infrastructure. North Korean APTs have leveraged React2Shell to deploy EtherRAT for espionage, while China-nexus groups initiated exploitation within hours of public disclosure, targeting both public and private sector entities. The indiscriminate nature of the botnet’s scanning and exploitation increases the risk of widespread disruption, resource hijacking, and potential lateral movement within compromised networks.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by RondoDox and the underlying React2Shell vulnerability. Organizations must upgrade to the latest patched versions of React and Next.js as detailed in the React Security Advisory and Next.js Security Update. There are no viable workarounds; patching is mandatory.

Comprehensive auditing and monitoring are essential. Security teams should review server logs for evidence of exploitation attempts, such as requests to /nuts/poop, /nuts/bolts, and /nuts/x86, and monitor for anomalous process activity, crontab modifications, and outbound connections to known C2 infrastructure. Network segmentation should be enforced, isolating IoT devices and critical assets into separate VLANs to limit lateral movement.

At the network level, block identified C2 IPs and domains at perimeter firewalls and DNS resolvers. Deploy intrusion detection signatures for URI patterns such as rondo.*.sh and requests to "nuts/poop" endpoints. Behavioral monitoring should focus on suspicious process execution in temporary directories, unauthorized permission changes, and background process spawning.

Adopt a zero trust architecture for administrative interfaces, requiring VPN or jump host access, multi-factor authentication, and certificate-based authentication where feasible. All administrative actions should be logged to a SIEM platform, with real-time alerting on command execution attempts.

Organizations subject to regulatory requirements should adhere to CISA KEV remediation timelines and report incidents as mandated.

References

BleepingComputer: RondoDox botnet exploits React2Shell flaw to breach Next.js servers https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/

CloudSEK: RondoDoX Botnet Weaponizes React2Shell https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell

NVD: CVE-2025-55182 https://nvd.nist.gov/vuln/detail/CVE-2025-55182

React Security Advisory https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Next.js Security Update https://nextjs.org/blog/security-update-2025-12-11

AWS Security Blog: China-nexus cyber threat groups rapidly exploit React2Shell https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Openwall Security Mailing List http://www.openwall.com/lists/oss-security/2025/12/03/4

CISA KEV Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber threats across their digital supply chain. Our platform leverages real-time intelligence, automated risk scoring, and continuous monitoring to provide actionable insights and enhance organizational resilience. For questions or further assistance, we are happy to help at ops@rescana.com.