December 2025, the RondoDox botnet operators have been targeting Next.js servers impacted by the React2Shell vulnerability.