Cybersecurity investigators have revealed a sophisticated nine-month campaign that has been actively compromising web applications and Internet of Things devices to build a massive botnet called RondoDox. Starting in late 2025, the threat actors began focusing on a critical security flaw known as React2Shell, which affects React Server Components and Next.js. This vulnerability is particularly dangerous because it allows unauthenticated individuals to execute code remotely, and global scanning data indicates that over 90,000 systems remain unpatched and vulnerable to this specific exploit.
The RondoDox botnet has shown a consistent ability to evolve since its initial appearance in early 2025 by incorporating a rotating list of security vulnerabilities into its toolset. Before targeting the latest Next.js flaw, the operation moved through several strategic phases, beginning with manual reconnaissance and gradually escalating to high-frequency automated deployments. This systematic approach has allowed the botnet to grow steadily, shifting from simple vulnerability probing to a massive, hourly deployment strategy that targets diverse technologies ranging from routers to popular content management systems.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
In the most recent wave of attacks, the group behind RondoDox uses scanning tools to pinpoint susceptible servers and then delivers a multi-stage payload. This infection process drops several different components onto the target device, including a cryptocurrency miner and a specialized botnet loader. These files are typically stored in hidden directories and are designed to turn the compromised hardware into a revenue-generating tool for the attackers while maintaining a permanent foothold on the network.
One of the more unique features of this campaign is the behavior of its loader and health checker tool. This specific component acts as a defensive mechanism for the malware by actively searching for and terminating any rival cryptocurrency miners or botnets already present on the system. It even goes as far as removing Docker-based payloads and cleaning up artifacts from previous infections. By constantly scanning running processes and killing anything not on its own whitelist, the RondoDox malware ensures it has exclusive control over the infected device’s resources.
To maintain its presence, the malware installs persistence mechanisms through system scheduling tools, ensuring it survives reboots and continues to run in the background. Because of the high risk of infection, security experts urge administrators to update their Next.js environments to the latest patched versions immediately. Furthermore, organizations are encouraged to use network segmentation for IoT devices and implement web application firewalls to block the specific exploitation attempts and command-and-control communications associated with this persistent threat.
Source: RondoDox Botnet Exploits React2Shell To Hijack IoT And Web Servers
The multi-stage payload approach with a health checker that actively kills rival miners is pretty sophisticated for botnet operations. Most campaigns just drop their payload and hope for the best, but this one ensuring exclusive resource control by cleaning up competitors shows they've learned from fragmented botnet ecosystems. The fact that 90k systems are still vulnerable to React2Shell nine months into the campaign is wild though, especially considering how widely Next.js is deployed in production enviroments.