When developers take a sigh of relief, the holidays might bring a bit of calm, but the cyber world was reminded that modern code can be as vulnerable as an unlocked front door. A stealthy digital menace known as the RondoDox botnet has been quietly sweeping across the internet, exploiting a critical flaw in React Server Components, dubbed “React2Shell” (CVE-2025-55182), to compromise servers, hijack devices, and unleash cryptominers and malware far and wide.
React2Shell isn’t just another bug; it’s a devastating remote code execution flaw in React and Next.js that requires no authentication to take over a vulnerable system. This weakness has made it a golden target for attackers, and RondoDox’s operators wasted no time weaving it into their attack playbook.
Security researchers now believe this campaign has been underway for nearly nine months, evolving through a series of phases. From early reconnaissance and web-app scanning to full-blown automated exploitation, the botnet has grown more aggressive and adaptive over time. By December 2025, the attackers began aggressively scanning for exposed Next.js servers, injecting miners, custom malware loaders, and even Mirai-style bot components that turn unsuspecting machines into soldiers in their expanding army.
What makes RondoDox especially troublesome isn’t just its scale, tens of thousands of systems are still exposed, but its opportunistic mix of tools. It kills competing malware, establishes persistence, and maintains contact with its command-and-control servers, all while quietly digging for fresh victims.
Experts warn that without urgent patching, firewalls, and vigilant monitoring, this kind of automated threat will continue to overshadow even holiday cheer. For defenders, the message is clear: update, segment, and stay alert, because the botnet storm shows no sign of letting up.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
