Update: RondoDoX Botnet Expands Operations by Weaponizing Next.js “React2Shell” Exploitation
CloudSEK has documented a sustained, nine-month RondoDoX botnet campaign spanning March through December 2025, based on exposed command-and-control logs that reveal a highly adaptive and persistent threat operation. Initially focused on broad vulnerability probing across web applications and network devices, the campaign evolved through distinct phases, progressing from manual reconnaissance to fully automated, hourly exploitation. Over time, the operators expanded their tooling beyond traditional botnet loaders and cryptominers, incorporating exploitation of widely deployed platforms such as WordPress, Drupal, Struts2, WebLogic, and a broad range of consumer and enterprise IoT devices. By mid-2025, RondoDoX had established a mature multi-architecture botnet ecosystem, deploying numerous variants designed to dominate compromised hosts, remove competing malware, and enforce long-term persistence through aggressive process killing and cron-based mechanisms. In December 2025, the campaign escalated by actively weaponizing a critical Next.js Server Actions vulnerability, enabling remote code execution via prototype pollution and unsafe deserialization. Threat actors rapidly shifted infrastructure following public disclosure of early exploitation, deploying new C2 servers and using Node.js-based payload delivery to install cryptominers, Mirai variants, and Rondo-specific loaders directly on vulnerable servers. This phase demonstrates the group’s ability to quickly operationalize emerging vulnerabilities at scale, blending web application compromise with IoT botnet expansion to enable lateral movement, credential exposure, and persistent multi-platform control. The RondoDoX activity highlights the increasing convergence of web exploitation and IoT botnet operations, underscoring the need for rapid patching of internet-facing frameworks, strict segmentation of embedded devices, and continuous behavioral monitoring to detect fileless execution, botnet cleanup routines, and outbound connections to evolving attacker infrastructure.
Trojanized “Eternl Desktop” Wallet Campaign Drops RMM Tool for Persistent Access
A newly observed crypto-themed malware campaign is circulating within the Cardano community, abusing governance narratives and staking incentives to distribute a trojanized Windows installer posing as “Eternl Desktop.” The campaign uses a professionally written announcement email referencing Atrium participation, the Diffusion Staking Basket, and token rewards to establish credibility and urgency, presenting the software as a secure, “local-first” alternative to browser-based wallets. Despite the polished messaging, no confirmation of this release exists on official Eternl channels, and the download infrastructure relies on a newly registered domain delivering a standalone MSI installer, a high-risk pattern frequently associated with malicious wallet distribution. Analysis of the installer shows it does not deploy a legitimate Cardano wallet. Instead, the MSI installs LogMeIn Resolve in unattended mode, a full-featured Remote Monitoring and Management (RMM) agent that provides persistent remote access without user interaction. The embedded updater installs configuration files that enable unattended control and attempt outbound connections to GoTo Resolve infrastructure, consistent with the pre-positioning behavior observed in prior crypto malware campaigns. While LogMeIn Resolve is a legitimate enterprise tool, its silent installation inside a wallet installer strongly indicates abuse, as RMM software is commonly leveraged by threat actors for long-term access prior to follow-on activity, including credential harvesting, wallet compromise, or manual post-exploitation. The newly created download domain, lack of integrity verification, MSI-based wallet delivery, and covert deployment of an unattended RMM agent point to a high-confidence trojanized wallet campaign rather than a benign or misconfigured release. Users should avoid installing the software, and organizations monitoring crypto-related threats should treat this activity as a trending initial-access technique combining social engineering with legitimate remote access tooling to quietly establish persistence on victim systems.
Update: GlassWorm Expands to macOS with Encrypted Payloads and Wallet-Focused Capabilities
Researchers from Koi have identified a new wave of activity tied to the GlassWorm threat actor, marking a significant operational pivot from Windows to macOS. The latest campaign was uncovered after multiple malicious extensions on the Open VSX marketplace were flagged through behavioral analysis and infrastructure correlation. While the tooling has changed, core tradecraft remains consistent, with extensions retrieving live command-and-control endpoints from the Solana blockchain before executing attacker-supplied payloads. Infrastructure overlap, including reuse of an IP address observed in earlier waves, confirms this activity is a direct continuation rather than a copycat effort. The campaign has already accumulated roughly 50,000 downloads, indicating meaningful early-stage reach within developer ecosystems. This shift reflects a deliberate targeting of environments with high macOS adoption, particularly among developers and cryptocurrency-focused users. From a technical perspective, GlassWorm continues to evolve in response to prior disclosures, replacing earlier Unicode and Rust-based approaches with AES-256-CBC-encrypted payloads embedded in compiled JavaScript. The malware introduces execution delays that exceed common sandbox timeouts, enabling it to evade automated analysis while remaining dormant until post-installation. Most notably, the new macOS-focused payload introduces logic to replace legitimate hardware wallet applications with trojanized versions, representing a clear escalation beyond mere credential theft. Although wallet replacement payloads were not fully active at the time of analysis, supporting code paths and validation checks indicate the capability is operational and awaiting deployment. In parallel, the malware retains broad data-stealing capabilities, including browser-based cryptocurrency wallets, developer credentials, SSH keys, and macOS Keychain data. Taken together, this wave demonstrates a mature, adaptive threat actor that actively monitors defensive research and incrementally expands both its target surface and post-compromise impact.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
