RondoDox Botnet Targets Devices Vulnerable to React2Shell Exploit

Security researchers have reported a significant botnet campaign leveraging React2Shell exploits to compromise IoT devices and web-facing applications. The campaign, attributed to the RondoDox botnet, has been active since its inception in March 2025 and began exploiting vulnerabilities within Meta’s open-source React framework in December.

Researchers from CloudSEK identified this campaign, highlighting RondoDox’s unique behavior of mimicking traffic from gaming platforms or virtual private networks to evade detection protocols. Initial attacks targeted popular web applications like WordPress, Drupal, Struts 2, and WebLogic, allowing hackers to gain access to critical systems before moving on to steal credentials for IoT devices such as those made by DLink, TP-Link, and Netgear.

The RondoDox campaign demonstrates a rapid adaptation to contemporary attack trends, employing tactics that extend beyond simple payload deployment. The vulnerability exploited in this campaign, known as React2Shell and logged as CVE-2025-55182, carries a CVSS score of 10, indicating critical severity. Its exploitation has attracted interest from various malicious actors, including state-sponsored groups from China and North Korea.

As of early December, over 77,000 IPs were deemed vulnerable to the React2Shell flaw. Recent targets have included organizations utilizing Next.js Server Actions, indicating an evolving strategy focusing on complete server compromise through deserialization flaws within Server Actions, as noted by CloudSEK.

In addition to deploying coin miners, attackers have also employed Mirai IoT malware, establishing a Linux-based botnet framework to maintain persistence within the compromised networks. CloudSEK’s recommendations for mitigating these risks include reviewing all Next.js applications utilizing Server Actions, disabling remote management interfaces, and isolating IoT devices from broader network access.

This incident underscores the necessity for organizations to remain vigilant and proactive in their cybersecurity measures, particularly in relation to open-source frameworks and IoT devices. Understanding the tactics outlined in the MITRE ATT&CK framework, such as initial access, persistence, and privilege escalation, is vital for business owners seeking to protect their systems against such increasingly sophisticated threats.