RondoDoX Botnet Weaponizes React2Shell

**Executive Summary:** CloudSEK observed a multi‑phase RondoDoX botnet campaign (March–December 2025) that combined web‑application exploitation (WordPress, Drupal, Struts2, WebLogic) and IoT targeting to deploy multi‑architecture botnet clients, coinminers and persistence loaders; a December wave actively exploited a Next.js Server Actions RCE to download and execute ELF payloads. The report includes attack timelines, confirmed C2 infrastructure and hashes, observable TTPs, and prioritized remediation guidance (Next.js patching, IoT segmentation, WAFs, and network blocks for identified C2s).