RondoDox botnet React2Shell malware deployment against Next.js servers
Malware Activity
Summary
Hide ▲
Show ▼
The RondoDox botnet is exploiting CVE-2025-55182 (React2Shell) to compromise Next.js servers, turning exposed systems into malware hosts and expanding botnet reach. Activity escalated in December 2025 after scanning began on December 8 and payload deployment followed three days later. The infection chain includes a coinminer, a botnet loader/health checker, and a Mirai variant, which increases persistence and abuse potential. The scale is significant because more than 94,000 internet-exposed assets were reported vulnerable to React2Shell.
Cases
Related Happenings
JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices
Malware Activity
H score33
First: 10.06.2026 19:08
Last: 10.06.2026 19:08
Sources 1
About this happening:
The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...
JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices
Malware ActivityAbout this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...
JDY botnet expanded reconnaissance and flaw-focused scanning activity
Malware Activity
H score27
First: 10.06.2026 18:00
Last: 10.06.2026 18:00
Sources 1
About this happening:
The **JDY botnet** has expanded its **reconnaissance and flaw-focused scanning**, increasing the risk that exposed infrastructure will be rapidly identified and targeted. Research...
JDY botnet expanded reconnaissance and flaw-focused scanning activity
Malware ActivityAbout this happening: The **JDY botnet** has expanded its **reconnaissance and flaw-focused scanning**, increasing the risk that exposed infrastructure will be rapidly identified and targeted. Research...
Glassworm botnet command-and-control disruption
Malware Activity
H score10
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityAbout this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
H score27
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
H score89
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Timeline
-
31.12.2025 16:58 1 articles · 6mo ago
RondoDox starts scanning vulnerable Next.js servers
Campaign Scope UpdateRondoDox begins scanning for vulnerable Next.js servers that implement the React Server Components 'Flight' protocol, targeting systems exposed to CVE-2025-55182 (React2Shell).
Show sources
- RondoDox botnet exploits React2Shell flaw to breach Next.js servers — www.bleepingcomputer.com — 31.12.2025 16:58
-
31.12.2025 16:58 1 articles · 6mo ago
RondoDox begins deploying botnet clients against Next.js servers
Exploitation ObservedThree days after scanning begins, RondoDox starts deploying botnet clients against vulnerable Next.js servers and stages payloads including a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a Mirai variant (/nuts/x86).
Show sources
- RondoDox botnet exploits React2Shell flaw to breach Next.js servers — www.bleepingcomputer.com — 31.12.2025 16:58
-
31.12.2025 16:58 2 articles · 6mo ago
RondoDox React2Shell activity and exposure totals are summarized
Technical Analysis UpdateRondoDox activity against React2Shell-exposed Next.js servers includes over 40 exploit attempts within six days in December, hourly IoT exploitation waves targeting Linksys and Wavlink routers, and loader behavior that removes competing botnet malware, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds; more than 94,000 internet-exposed assets were vulnerable to React2Shell as of December 30.
Show sources
- RondoDox botnet exploits React2Shell flaw to breach Next.js servers — www.bleepingcomputer.com — 31.12.2025 16:58
- RondoDox botnet exploits React2Shell flaw to breach Next.js servers — www.bleepingcomputer.com — 31.12.2025 16:58