A sophisticated threat group has intensified its campaign against organizations by leveraging the latest vulnerabilities in web applications and Internet of Things (IoT) devices.
The RondoDoX botnet, tracked through exposed command-and-control logs spanning nine months from March to December 2025, demonstrates a relentless approach to compromising enterprise infrastructure.
The malware operates through a multi-stage infection process that begins with scanning for vulnerable systems and escalates to deploying cryptominers and botnet payloads across diverse network environments.
The campaign reveals three distinct attack phases, each progressively more sophisticated than the last. Initially, threat actors conducted manual vulnerability testing on various platforms.
.webp "RondoDoX Botnet Weaponizing a Critical React2Shell Vulnerability to Deploy Malware 2")
By April 2025, they shifted to automated daily scanning operations targeting multiple web frameworks.
The final phase, beginning in July 2025, escalated attacks to hourly deployment attempts, showcasing the attackers’ commitment to continuous exploitation and infrastructure compromise.
CloudSEK analysts identified the malware through routine scans for malicious infrastructure, uncovering six confirmed command-and-control servers with overlapping operational periods.
The researchers discovered evidence of at least ten botnet variants actively deployed across compromised systems, with command logs revealing detailed attack patterns and infrastructure usage spanning the entire campaign timeline.
The most alarming development emerged in December 2025, when threat actors began weaponizing a critical Next.js vulnerability to deploy React2Shell payloads.
Attack chain
This transition demonstrates the group’s ability to rapidly adapt and adopt newly disclosed security flaws.
The attack chain begins with identification of vulnerable servers through blind remote code execution testing, followed by deployment of ELF binaries that download malicious payloads from active command-and-control infrastructure.
The malware’s infection mechanism reveals sophisticated persistence and evasion capabilities. Once deployed, the botnet establishes persistence through cron job configuration in system files and aggressively terminates competing malware to monopolize system resources.
The payload includes cryptominers and support frameworks designed for long-term dominance on compromised hosts.
The botnet supports multiple processor architectures including x86, x86_64, MIPS, ARM, and PowerPC, with multiple fallback download mechanisms using wget, curl, tftp, and ftp protocols to ensure successful payload delivery across heterogeneous enterprise environments.
Organizations with internet-facing routers, cameras, and applications running Next.js Server Actions face immediate risk.
Network segmentation, immediate patching of vulnerable applications, Web Application Firewall deployment, and continuous monitoring for suspicious process execution in temporary directories remain essential defensive measures.
Additionally, blocking identified command-and-control infrastructure at perimeter firewalls provides critical short-term protection against active exploitation attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
