RondoDox Exploits React2Shell As F5 Lawsuit, ESA Breach And Ransomware Cases Emerge

Cybersecurity had a packed start to 2026, with one theme repeating across very different headlines: attackers keep moving faster than defenses, disclosures, and even trust.

From a botnet weaponizing a maximum-severity React2Shell flaw to pull IoT devices and web servers into its orbit, to a high-profile public company facing scrutiny over breach disclosures, to a space agency confirming compromised “external servers,” and finally, to cybersecurity insiders admitting they ran ransomware attacks, the week delivered a sharp reminder that the threat surface is everywhere.
 

TL; DR

 

• Attackers are exploiting critical flaws like React2Shell at scale, rapidly turning unpatched apps and IoT devices into resilient botnets.

• Cyber incidents are increasingly triggering legal, regulatory, and investor scrutiny, with disclosure timing now as critical as breach impact.

• Public institutions and space agencies are facing spillover risks as breaches extend beyond core networks into external and collaborative systems.

• Insider threats remain a growing concern, as skilled security professionals misuse expertise within ransomware-as-a-service ecosystems.

 

How RondoDox Turned React2Shell Into A Botnet On-Ramp

Researchers said a persistent, months-long campaign has been enrolling IoT devices and web applications into the RondoDox botnet, with observed activity leveraging React2Shell (CVE-2025-55182, CVSS 10.0) as an initial access vector as of late December 2025.

React2Shell is an unauthenticated RCE issue affecting React Server Components and commonly used stacks like Next.js, enabling attackers to execute code via crafted requests on vulnerable systems.

A widely cited exposure snapshot indicated tens of thousands of instances remained susceptible as of December 31, 2025, underscoring how quickly web infrastructure can become “soft targets” at scale.

The campaign reportedly evolved through phases: reconnaissance, daily mass probing, and hourly automated deployment at scale.

In observed December activity, actors attempted to deploy payloads, including crypto miners, a Mirai variant, and a loader/health-checker commonly referenced as “/nuts/bolts.”


CloudSEK’s analysis described a key behavior that makes this botnet “sticky”: “It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors.”

Security teams have been urged to patch React/Next.js quickly, harden internet-facing apps, and segment IoT devices, as botnet operators actively exploit unpatched fleets.

At the same time, the ripple effects of cybersecurity incidents extend beyond infrastructure risk, increasingly encompassing governance, disclosure, and investor accountability.
 

Why F5 Is Facing A Securities Class Action After A Cybersecurity Incident

A securities class action (Smith v. F5, Inc., et al.) seeks to represent investors who acquired F5 securities during a specified period following disclosures related to an alleged nation-state intrusion and concerns about the timing and impact of those disclosures.

The communications highlighted that F5 disclosed it learned of unauthorized access on August 9, 2025, and later reported details publicly on October 15, 2025, with subsequent commentary indicating potential business impact.

The investigation language focuses heavily on materiality and reporting expectations, including the SEC’s timing standard referenced in the notice.

Hagens Berman partner Reed Kathrein said, “We’re focused on when F5 determined that the August 2025 cybersecurity incident was material and whether the company timely informed investors consistent with the SEC’s 4 business day rule and which might have predated the October 15 disclosure.”

Beyond corporate disclosures and market reactions, even public institutions are being forced to publicly clarify the scope of breaches as cyber incidents spill beyond traditional enterprise boundaries.
   

ESA Confirms Some “External Servers” Were Involved In A Cybersecurity Incident

The European Space Agency confirmed a cybersecurity issue involving servers “located outside the ESA corporate network,” and said it initiated forensic analysis and protective measures.

In its public statement, ESA said: “ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices.”

ESA added that only a small number of external servers may have been impacted and that these supported unclassified collaborative engineering activities, with stakeholders informed.

Reporting around the incident also referenced claims by an actor alleging data theft, though verification of samples and scope remains an evolving part of the story.

Now, in a separate but equally troubling development, cybersecurity expertise itself emerged as part of the threat landscape, but this time from the inside.
 

Two Cybersecurity Professionals Plead Guilty To Using ALPHV BlackCat Ransomware

The U.S. Department of Justice announced that Ryan Goldberg (40) and Kevin Martin (36) were found guilty of ransomware attacks in 2023, including the extortion of $1.2M in Bitcoin from a medical device company and targeting others.

DOJ underscored the insider angle, with Assistant Attorney General A. Tysen Duva saying: “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop.”

The case also highlighted how ransomware-as-a-service ecosystems like ALPHV/BlackCat make it easier for affiliates to operationalize attacks at scale.


So, with all these developments in the cybersecurity space, do you think 2026 will force faster patching and tighter disclosure standards, or will attackers keep winning the time game across the internet’s most common stacks?

Let us know in the comments below!