RondoDoX Botnet Weaponizes React2Shell
A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.
Indicators of Compromise
- ip: 38.59.219.27
- hash: 3ba4d5e0cf0557f03ee5a97a2de56511
- hash: c798b4bcf337d1c7420871b9a4f55fa8
- hash: ca5515cb5a378bf71c5bef02184b083c126786b7
- hash: dc057522e04f37a6143cf6ce9b5d4a19aab8ef7a
- hash: 50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e
- hash: 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb
- hash: 895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b
- hash: 8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e
- ip: 70.184.13.47
- ip: 89.144.31.18
RondoDoX Botnet Weaponizes React2Shell
Description
A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell"]
- Adversary
- RondoDoX
- Pulse Id
- 6952dc1e4da675337033a2e2
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip38.59.219.27 | — | |
ip70.184.13.47 | — | |
ip89.144.31.18 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3ba4d5e0cf0557f03ee5a97a2de56511 | — | |
hashc798b4bcf337d1c7420871b9a4f55fa8 | — | |
hashca5515cb5a378bf71c5bef02184b083c126786b7 | — | |
hashdc057522e04f37a6143cf6ce9b5d4a19aab8ef7a | — | |
hash50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e | — | |
hash858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb | — | |
hash895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b | — | |
hash8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e | — |
Threat ID: 6952f31571a94549f1568527
Added to database: 12/29/2025, 9:31:01 PM
Last updated: 12/30/2025, 5:15:34 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
The HoneyMyte APT now protects malware with a kernel-mode rootkit
MediumPro-Russian group Noname057 claims cyberattack on La Poste services
MediumSilver Fox Targeting India Using Tax Themed Phishing Lures
MediumEvasive Panda APT poisons DNS requests to deliver MgBot
MediumLinearizing SHA-256 via fractional modular analysis (Kaoru Method)
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.