RondoDox Botnet Exploiting Devices With React2Shell Flaw

The Campaign Compromises Open-Source Vulnerability to Hack IoT Devices at Scale Akshaya Asokan (asokan_akshaya) • January 2, 2026

A botnet campaign has been deploying React2Shell exploits to compromise IoT devices and web-facing applications at scale, security researchers found.

See Also: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense Strategy

Security firm CloudSEK uncovered the campaign and attributed it to the RondoDox botnet. The campaign, launched in March, began exploiting the remote code React2Shell exploit in Meta-developed, open-source React framework in December.

RondoDox is a relatively new botnet known for mimicking traffic from gaming platforms or virtual private network servers to evade detection.

In the latest campaign, the attackers first compromised web applications such as WordPress, Drupal, Struts 2 and WebLogic to gain initial access. The hackers then ...