ALL POSTS

Key Findings Wormable cryptojacking campaign spreads through pirated software installers Uses BYOVD (Bring Your Own Vulnerable Driver) technique to gain kernel-level access and boost mining performance Includes a time-based "kill switch" set to December 23, 2025, triggering a controlled cleanup routine Exhibits worm-like capabilities, spreading across external storage devices for lateral movement Modular design separates monitoring features from mining, persistence, and privi

Key Findings The RondoDox botnet is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. The RondoDox botnet has been active since 2024 and has evolved through three phases: reconnaissance and vulnerability testing, automated web application exploitation, and large-scale IoT botnet deployment. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavli