January 6, 2026 By Jeffrey Burt
The bad actors behind the RondoDox botnet are showing themselves to be highly adaptable and able to embrace changing attack trends, with the recent discovery of their targeting the high-profile React2Shell vulnerability as an initial access route being the latest example.
Security researchers with CloudSEK and Rewterz both wrote in recent reports that the RondoDox botnet operators were among the large number of nation-state and financially motivated threat groups that converged on the maximum-severity flaw – tracked as CVE-2025-55182 – within days of it being disclosed.
It’s the latest avenue pursued by the threat actors since the RondoDox campaign began earlier last year, according to the researchers, who added that the campaign has progressed through three distinct phases.
“The activity spans from March 2025 to December 2025, showing quick adaptation to latest trends in attacks by the threat actor group, not limiting themselves to deploying botnet payloads, web shells, and cryptominers – but also weaponizing the latest Next.js vulnerability,” the CloudSEK researchers wrote.
Rewterz researchers added in their report that “active since early 2025, the campaign has steadily expanded in scale and sophistication, leveraging both newly disclosed and previously known vulnerabilities to compromise systems.”