DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

RondoDox Is Eating Your React Apps for Breakfast

Patrick Duggan
Jan 14
3 min read

The Short Version

If you're running React 19 with Server Components, Next.js, React Router, RedwoodSDK, or Waku - stop reading and patch. Now.

CVE-2025-55182 (React2Shell) is a perfect 10.0 CVSS unauthenticated remote code execution vulnerability. The RondoDox botnet has been exploiting it since December 8, 2025. North Korean and Chinese APT groups are also in the game.

90,300 vulnerable instances remain exposed. 68,400 of them are in the United States.

What Is React2Shell?

React2Shell (CVE-2025-55182) is an RCE vulnerability in React Server Components. Disclosed December 3, 2025, it allows unauthenticated attackers to send specially crafted HTTP requests to Server Function endpoints and achieve code execution.

The root cause: React deserializes data from HTTP requests without proper safety checks. Classic.

React 19.0.0
React 19.1.0
React 19.1.1
React 19.2.0

Next.js
React Router
RedwoodSDK
Waku

If you're on React 18 or earlier, you're not affected. If you jumped to React 19 for the shiny new features - time to update again.

Enter RondoDox

RondoDox is a botnet that's been quietly building capability since March 2025. CloudSEK documented three distinct operational phases:

Phase	Timeline	Activity
1	March-April 2025	Reconnaissance, manual scanning
2	April-June 2025	Daily mass vulnerability probing
3	July-December 2025	Hourly automated deployment at scale

Five days after React2Shell was disclosed, RondoDox started scanning. Three days after that, they were deploying payloads.

That's an 8-day window from disclosure to active exploitation at scale. If your patch cycle is "monthly," you're already owned.

The Payloads

RondoDox drops three things on compromised systems:

Payload Path	Function
/nuts/x86	Mirai variant (DDoS botnet)
/nuts/poop	Cryptominer
/nuts/bolts	Bot loader + persistence

The /nuts/bolts payload is particularly nasty - it kills competing malware, establishes persistence via /etc/crontab, and phones home to report the new recruit.

You're not just compromised. You're recruited.

It's Not Just Script Kiddies

Here's where it gets interesting.

Per The Hacker News, North Korean and China-nexus APT groups have also been exploiting React2Shell for targeted intrusions. This isn't just financially motivated botnet operators - state actors want this vulnerability.

When DPRK threat actors and Chinese APTs are exploiting the same CVE as commodity botnets, you know you're looking at something significant. The vulnerability is too good to ignore regardless of your threat model.

Vulnerable Targets

RondoDox isn't picky. They're scanning and exploiting:

WordPress
Drupal
Struts2
Next.js (obviously)

Wavlink routers
TP-Link
Netgear
DLink
Asus routers
IP cameras

The IoT angle is significant. React2Shell affects server-side rendering, but many IoT device admin panels are built on web frameworks that may be vulnerable. And IoT devices don't get patched.

The Numbers

As of December 31, 2025, Shadowserver Foundation reported:

Country	Vulnerable Instances
United States	68,400
Germany	4,300
France	2,800
India	1,500
Total	~90,300

That's 90,000 sitting ducks. The US has 75% of them.

IOCs

CVE-2025-55182 (React2Shell) - CVSS 10.0
CVE-2023-1389 (N-day)
CVE-2025-24893 (XWiki)

Payload Paths: `` /nuts/x86 (Mirai variant) /nuts/poop (Cryptominer) /nuts/bolts (Bot loader) ``

/etc/crontab modification

Mimics gaming platform / VPN traffic to evade detection
Kills competing malware on infection
Health check beacon to C2

What To Do

Patch React Server Components to latest version
Patch Next.js to latest version
Check for indicators of compromise (crontab, /nuts/ paths)
Review web server logs for exploitation attempts

Deploy WAF rules blocking React2Shell exploitation patterns
Segment IoT devices into dedicated VLANs
Monitor for lateral movement from IoT to production

If your patch cycle is "monthly" for public-facing web apps, fix that
8 days from disclosure to mass exploitation is the new normal

The Lesson

React 19 shipped in December 2024. React2Shell was disclosed December 2025. For a year, anyone running React 19 Server Components was sitting on a CVSS 10.0 time bomb.

The vulnerability existed because React deserializes untrusted input without validation. This is a known anti-pattern. It's in every secure coding guide. And it shipped in a framework used by millions of applications.

When commodity botnets and nation-state APTs are racing to exploit the same vulnerability, the window for "we'll patch it next sprint" has closed. You're either patched or you're compromised.

RondoDox doesn't care about your sprint planning.

The author runs DugganUSA's threat intelligence platform and has reported 102,171 malicious IPs to AbuseIPDB. He patches on disclosure day and recommends you do the same.

Her name is Renee Nicole Good.