Find notable cyber news and cases, enriched with sources, timelines, and signals.

RondoDox botnet React2Shell malware deployment against Next.js servers

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The RondoDox botnet is exploiting CVE-2025-55182 (React2Shell) to compromise Next.js servers, turning exposed systems into malware hosts and expanding botnet reach. Activity escalated in December 2025 after scanning began on December 8 and payload deployment followed three days later. The infection chain includes a coinminer, a botnet loader/health checker, and a Mirai variant, which increases persistence and abuse potential. The scale is significant because more than 94,000 internet-exposed assets were reported vulnerable to React2Shell.

Cases

Related Happenings

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
H score33 First: 10.06.2026 19:08 Last: 10.06.2026 19:08 Sources 1

About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...

JDY botnet expanded reconnaissance and flaw-focused scanning activity

Malware Activity
H score27 First: 10.06.2026 18:00 Last: 10.06.2026 18:00 Sources 1

About this happening: The **JDY botnet** has expanded its **reconnaissance and flaw-focused scanning**, increasing the risk that exposed infrastructure will be rapidly identified and targeted. Research...

Glassworm botnet command-and-control disruption

Malware Activity
H score10 First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
H score27 First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
H score89 First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Timeline

  1. 31.12.2025 16:58 1 articles · 6mo ago

    RondoDox starts scanning vulnerable Next.js servers

    Campaign Scope Update

    RondoDox begins scanning for vulnerable Next.js servers that implement the React Server Components 'Flight' protocol, targeting systems exposed to CVE-2025-55182 (React2Shell).

    Show sources
  2. 31.12.2025 16:58 1 articles · 6mo ago

    RondoDox begins deploying botnet clients against Next.js servers

    Exploitation Observed

    Three days after scanning begins, RondoDox starts deploying botnet clients against vulnerable Next.js servers and stages payloads including a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a Mirai variant (/nuts/x86).

    Show sources
  3. 31.12.2025 16:58 2 articles · 6mo ago

    RondoDox React2Shell activity and exposure totals are summarized

    Technical Analysis Update

    RondoDox activity against React2Shell-exposed Next.js servers includes over 40 exploit attempts within six days in December, hourly IoT exploitation waves targeting Linksys and Wavlink routers, and loader behavior that removes competing botnet malware, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds; more than 94,000 internet-exposed assets were vulnerable to React2Shell as of December 30.

    Show sources