Cybersecurity researchers have uncovered a nine-month campaign targeting Internet of Things (IoT) devices and web applications, resulting in the creation of a botnet named RondoDox. The operation, active since early 2025, exploits the React2Shell vulnerability (CVE-2025-55182), a critical flaw in React Server Components and Next.js, allowing unauthenticated access and remote code execution. As of December 31, 2025, about 90,300 vulnerable instances were identified, with the majority located in the U.S. (68,400), followed by Germany, France, and India. RondoDox has expanded its capabilities by incorporating several N-day vulnerabilities, such as CVE-2023-1389 and CVE-2025-24893. The campaign has progressed through three phases: initial reconnaissance and vulnerability scanning, mass probing of web applications and IoT devices, and finally, large-scale automated deployments. In December 2025, attackers focused on identifying vulnerable Next.js servers. They deployed various malicious tools, including cryptocurrency miners and a variant of the Mirai botnet. One of the key tools, "/nuts/bolts," not only installs the main bot binary but also actively removes competing malware and sets up persistence mechanisms. It monitors running processes, terminating any that aren’t whitelisted every 45 seconds, effectively safeguarding against reinfection. To counter these threats, organizations should promptly update their Next.js versions, isolate IoT devices on dedicated VLANs, implement Web Application Firewalls, and monitor for unusual process activities.