Overview of the RondoDox Botnet Campaign
RondoDox Botnet has driven a long-running cyber campaign that targets IoT devices and web servers across the internet. According to a recent report, attackers sustained this operation for nine months, which therefore shows careful planning and long-term intent. Moreover, the threat actors focused on quietly expanding their botnet while avoiding early detection.
React2Shell as the Main Entry Point
The RondoDox Botnet recently relied on a flaw known as React2Shell to gain initial access. This vulnerability, identified as CVE-2025-55182, carries a critical severity score and therefore allows attackers to execute commands without authentication. However, many organizations failed to apply patches quickly, which made exploitation easy and highly effective.
React2Shell affects React Server Components and Next.js environments that power many modern applications. For example, exposed servers allow attackers to execute remote code directly. As a result, both web platforms and connected devices face serious compromise risks, especially when security controls remain weak.
Scale of Vulnerable Systems Worldwide
A separate research report tracked how widespread the exposure became by late December 2025. It identified more than 90,000 vulnerable systems, which therefore created a massive attack surface. However, the majority of affected systems appeared in the United States, showing uneven patch adoption across regions.
Other impacted areas included parts of Europe and Asia. For example, thousands of exposed servers appeared in Germany, France, and India. Moreover, these figures suggest delayed security updates, and as a result, attackers gained access to many easy targets.
Evolution of the Botnet Arsenal
The RondoDox Botnet first emerged in early 2025 and quickly expanded its capabilities. Since then, attackers added multiple known security flaws to their toolkit, which therefore increased infection success. Moreover, this layered exploitation approach allowed the campaign to persist even when some vulnerabilities became patched.
Earlier research had already warned about React2Shell abuse. However, the campaign continued evolving quietly by combining newer flaws with older ones. As a result, many defensive tools failed to recognize the full threat pattern in time.
Three Phases of the Attack Campaign
The campaign progressed through three distinct phases that reflected increasing automation. First, attackers conducted manual scanning to map vulnerable systems, which therefore helped them fine-tune later attacks. Moreover, this phase allowed careful selection of high-value targets.
Next, the operation shifted to daily mass scanning of web platforms and connected devices. However, activity intensified further when attackers launched hourly automated deployments at scale. As a result, infections spread rapidly across diverse environments.
Payloads and Malware Behavior
By December 2025, the attacks became far more aggressive and structured. The attackers scanned for exposed Next.js servers and then deployed cryptocurrency miners, botnet loaders, and bot variants. Therefore, infected systems served multiple malicious purposes at once.
One loader actively removed competing malware to secure control. For example, it terminated unknown processes every 45 seconds while clearing old artifacts and scheduled tasks. Moreover, it established persistence, and as a result, rival reinfections became difficult.
Why This Threat Matters
This botnet poses serious operational and security risks for organizations. Compromised devices waste computing resources and power, while attackers retain long-term access. Moreover, these systems can support future attacks, and therefore unchecked infections amplify broader cyber threats.
How to Prevent Similar Attacks
Organizations can significantly reduce risk by strengthening preventive controls. Continuous vulnerability monitoring helps identify exposed systems early, while web traffic filtering blocks malicious requests before execution. Moreover, network segmentation limits attacker movement, especially across IoT environments.
In addition, centralized threat detection and rapid incident response help contain infections quickly. As a result, combining proactive monitoring with isolation controls can sharply reduce botnet impact and long-term damage.
Sleep well, we got you covered.
