Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RondoDox botnet React2Shell malware deployment against Next.js servers

Malware Activity
First reported
Last updated
Happening score
H score 47
1 unique sources, 1 articles

Summary

Hide ▲

The RondoDox botnet is exploiting CVE-2025-55182 (React2Shell) to compromise Next.js servers, turning exposed systems into malware hosts and expanding botnet reach. Activity escalated in December 2025 after scanning began on December 8 and payload deployment followed three days later. The infection chain includes a coinminer, a botnet loader/health checker, and a Mirai variant, which increases persistence and abuse potential. The scale is significant because more than 94,000 internet-exposed assets were reported vulnerable to React2Shell.

Cases

RondoDox edge and web exploitation (3)

Related Happenings

Glassworm botnet command-and-control disruption

Malware Activity
First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Open Happening

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

RondoDox persistent IoT and web app botnet campaign

Campaign
First: 01.01.2026 11:19 Last: 01.01.2026 11:19 Sources 1

About this happening: **Scattered Lapsus$ Hunters** claimed they breached **Resecurity** and stole internal chats, logs, employee data, threat intelligence reports, and a complete client list, but Rese...

Latest development: 03.01.2026 22:34

Scattered Lapsus$ Hunters claimed they gained full access to Resecurity systems and stole internal chats, logs, employee data, threat intelligence reports, and a complete client list, while Resecurity said the accessed environment was a deliberately deployed honeypot with fake employee, customer, and payment data used to monitor the actor.

Open Happening

Timeline

  1. 31.12.2025 16:58 1 articles · 4mo ago

    RondoDox starts scanning vulnerable Next.js servers

    Campaign Scope Update

    RondoDox begins scanning for vulnerable Next.js servers that implement the React Server Components 'Flight' protocol, targeting systems exposed to CVE-2025-55182 (React2Shell).

    Show sources
    Open in new tab
  2. 31.12.2025 16:58 1 articles · 4mo ago

    RondoDox begins deploying botnet clients against Next.js servers

    Exploitation Observed

    Three days after scanning begins, RondoDox starts deploying botnet clients against vulnerable Next.js servers and stages payloads including a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a Mirai variant (/nuts/x86).

    Show sources
    Open in new tab
  3. 31.12.2025 16:58 2 articles · 4mo ago

    RondoDox React2Shell activity and exposure totals are summarized

    Technical Analysis Update

    RondoDox activity against React2Shell-exposed Next.js servers includes over 40 exploit attempts within six days in December, hourly IoT exploitation waves targeting Linksys and Wavlink routers, and loader behavior that removes competing botnet malware, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds; more than 94,000 internet-exposed assets were vulnerable to React2Shell as of December 30.

    Show sources
    Open in new tab