Overview
- CloudSEK reports RondoDox began scanning Next.js servers on December 8 and started large-scale payload deployments three days later.
- The campaign drops a coinminer (“/nuts/poop”), a loader and health checker (“/nuts/bolts”), and a Mirai variant (“/nuts/x86”) on compromised hosts.
- The “/nuts/bolts” component removes competing malware, sets persistence via /etc/crontab, and kills non‑whitelisted processes roughly every 45 seconds.
- Shadowserver counts about 90,300 vulnerable React2Shell instances as of December 31, with most located in the U.S., followed by Germany, France, and India.
- Defenders are advised to upgrade Next.js, isolate IoT devices on dedicated VLANs, deploy WAFs as a stopgap, monitor for suspicious processes, and block known C2 infrastructure.