“RondoDoX” Strikes Back: Exposed Logs Reveal Massive 9-Month Campaign Targeting Next.js and IoT

The RondoDoX botnet has resurfaced with a potent new arsenal, shifting its sights from simple routers to enterprise-grade web frameworks. A new intelligence report from CloudSEK details a sprawling nine-month campaign that has weaponized cutting-edge vulnerabilities to compromise systems ranging from smart home devices to corporate servers running Next.js.

The discovery comes after researchers stumbled upon a treasure trove of evidence left behind by the attackers themselves: exposed command-and-control (C2) logs documenting their operations from March 2025 to December 2025.

“CloudSEK discovered another wave of RondoDoX botnet exploitation through exposed command and control logs spanning nine months,” the report confirms.

The most alarming evolution in RondoDoX’s tactics is its rapid adoption of new exploits. While many botnets rely on years-old vulnerabilities, RondoDoX has moved quickly to integrate the “React2Shell” exploit targeting Next.js, a popular framework used by major enterprises.

The researchers noted the group is “showing quick adaptation to latest trends in attacks by the threat actor group, not limiting themselves to deploying botnet payloads, web shells, and cryptominers – but also weaponizing the latest Next.js vulnerability”.

This shift poses a critical threat to modern web infrastructure. “Enterprises running Next.js Server Actions (especially versions vulnerable to prototype pollution attacks) face critical RCE exposure with active exploitation observed recently” . The flaw is devastatingly effective, as it “allows complete server compromise through deserialization flaws in Server Actions”.

While expanding into web servers, RondoDoX has not abandoned its traditional hunting grounds. The botnet continues to launch “automated hourly exploitation attempts” against a wide array of Internet of Things (IoT) hardware.

The report highlights a “widespread IoT device compromise,” with targets including internet-facing routers from major brands like D-Link, TP-Link, Netgear, Linksys, and ASUS, as well as IP cameras.

To ensure maximum reach, the malware is designed to run on almost anything. “The botnet deploys binaries for x86, x86_64, MIPS, ARM, and PowerPC architectures with multiple fallback mechanisms,” ensuring it can infect diverse environments from cloud instances to embedded edge devices.

Once inside, RondoDoX doesn’t just install itself; it actively hunts down and removes rival malware to claim exclusive control over the device.

According to CloudSEK, the malware “continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors” .

This aggressive persistence, combined with the dual targeting of legacy IoT devices and modern Next.js applications, marks RondoDoX as a highly versatile and dangerous threat to the 2025 threat landscape.

Related Posts:

• RondoDox Botnet Unleashed: New Malware Uses ‘Exploit Shotgun’ to Target 50+ Router and IoT Flaws
• RondoDox: Sophisticated Botnet Exploits TBK DVRs & Four-Faith Routers for DDoS Attacks
• “React2Shell” Crisis: Critical Vulnerability Triggers Global Cyberattacks by State-Sponsored Groups
• “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
• “React2Shell” Exploited: New EtherRAT Malware Hunts for Crypto via Node.js