The RondoDoX botnet campaign is a sophisticated, persistent threat active over nine months in 2025, targeting both IoT devices and web applications built on Next.js, a widely used React framework for server-side rendering. The campaign exploits a critical vulnerability dubbed React2Shell, which allows remote code execution on vulnerable Next.js servers. The attack unfolds in three distinct phases: initial reconnaissance to identify vulnerable targets, exploitation of Next.js web applications to deploy malicious payloads such as React2Shell and cryptominers, and finally the deployment of a botnet composed of compromised IoT devices. The attackers operate multiple command and control servers to manage infected devices and deploy various malware variants, including multi-architecture threats that complicate detection and remediation. The botnet leverages compromised IoT devices to increase attack scale and persistence, enabling credential harvesting and lateral movement within networks. Despite no official CVE or patch availability, the threat actors exploit publicly known weaknesses in Next.js applications, which are prevalent in modern web development. The campaign's use of IoT devices expands the attack surface and challenges mitigation due to the diversity and often weak security of IoT ecosystems. The campaign intensified in December 2025, demonstrating rapid adaptation to emerging vulnerabilities and attack trends, underscoring the operational sophistication of the RondoDoX adversary.

European organizations face significant risks from this campaign, especially those deploying Next.js for web applications and relying on IoT devices in critical infrastructure. Unauthorized code execution on Next.js servers can lead to data theft, service disruption, and unauthorized access to sensitive information. The compromise of IoT devices facilitates large-scale botnet formation, enabling distributed denial-of-service (DDoS) attacks, cryptomining operations that degrade device performance, and further lateral movement within networks. Credential harvesting threatens both user and administrative accounts, increasing the risk of broader network compromise. The persistence of multi-architecture malware complicates detection and remediation efforts, potentially leading to prolonged exposure. Sectors such as manufacturing, healthcare, and smart city deployments, which heavily utilize IoT devices, are particularly vulnerable. The campaign’s rapid adaptation to new vulnerabilities increases the likelihood of sustained exploitation within European networks, potentially impacting confidentiality, integrity, and availability of critical services.

European organizations should immediately conduct comprehensive security assessments of all Next.js web applications to identify and remediate vulnerabilities, even in the absence of official patches. Deploy runtime application self-protection (RASP) and web application firewalls (WAF) with updated signatures specifically targeting React2Shell exploitation attempts. Implement strict network segmentation to isolate IoT devices from corporate and critical infrastructure networks, minimizing lateral movement opportunities. Enforce strong access controls and multi-factor authentication (MFA) on all administrative and user accounts to protect credentials. Regularly update and patch IoT device firmware where possible, and replace unsupported or insecure devices to reduce attack surface. Deploy advanced network monitoring and anomaly detection solutions to identify unusual traffic patterns indicative of botnet activity or cryptomining. Utilize threat intelligence feeds to block known malicious IP addresses and file hashes associated with RondoDoX. Conduct targeted employee awareness training focused on recognizing suspicious activity related to web applications and IoT devices. Finally, develop and regularly test incident response plans tailored to botnet and web application exploitation scenarios to ensure rapid containment and recovery.