Campaign
RondoDox botnet pressure on IoT devices and web apps
Updated 03.01.2026 22:34
Case score 58
Score breakdown
- Total
- 58
- Lead score
- 58
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Defines the botnet campaign, target surface, progression from scanning to automation, and December 2025 exploitation status. base
Case score 58
Members 1
Latest activity 03.01.2026 22:34
Members 1
First seen 01.01.2026 11:19
Last seen 01.01.2026 11:19
Updated 03.01.2026 22:34
Overview
RondoDox has sustained a persistent botnet campaign against exposed **IoT devices** and **web applications**, and by December 2025 it was using **React Server Components (CVE-2025-55182)** alongside other N-day flaws to reach internet-facing systems. The activity progressed from March-April reconnaissance and manual scanning to daily mass probing and hourly automated deployment, showing a more automated and scalable pattern.
Defensive guidance centers on updating **Next.js** where applicable, segmenting IoT devices into VLANs, deploying WAFs, and watching for suspicious process execution or known C2 activity. Available evidence does not quantify reach, but observed activity spans the United States, Germany, France, and India and remained active in December 2025.
RondoDox is running a persistent botnet campaign against exposed **IoT devices** and **web applications**, and by December 2025 it was exploiting **React Server Components (CVE-2025-55182)** alongside other N-day flaws as one access path into internet-facing systems. The operation began with initial reconnaissance and manual vulnerability scanning in March-April 2025. It then moved into daily mass probing and later hourly automated deployment, which points to a more scalable intrusion pattern.
The exposed surface is broad enough to include **Next.js**, **WordPress**, **Drupal**, **Struts2**, and **Wavlink routers**. Recommended defensive steps include updating **Next.js**, segmenting IoT devices into VLANs, deploying WAFs, monitoring suspicious process execution, and blocking known C2 infrastructure. Reach remains unquantified, but available evidence places observed activity in the United States, Germany, France, and India, and the campaign was still active in December 2025.