React2Shell Exploitation Unleashes Crypto Miners and Novel Malware Across Diverse Sectors
The React2Shell vulnerability, identified as CVE-2025-55182, has become a focal point for cyber attackers, enabling unauthenticated remote code execution in React Server Components (RSC). This critical flaw has been actively exploited to deploy cryptocurrency miners and a variety of previously undocumented malware strains across multiple industries.
Emergence of New Malware Families
Recent analyses have uncovered the deployment of several new malware families through the exploitation of React2Shell:
– PeerBlight: A Linux backdoor exhibiting code similarities with earlier malware such as RotaJakiro and Pink. PeerBlight ensures persistence by installing a systemd service and disguises itself as the ksoftirqd daemon process to evade detection.
– CowTunnel: This reverse proxy tool establishes outbound connections to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively circumventing firewalls configured to monitor only inbound traffic.
– ZinFoq: A Go-based post-exploitation implant offering functionalities like interactive shell access, file operations, network pivoting, and timestomping.
Targeted Industries and Attack Patterns
As of December 8, 2025, attackers have been focusing on various sectors, notably the construction and entertainment industries. The initial recorded exploitation on a Windows endpoint occurred on December 4, 2025, where a vulnerable Next.js instance was compromised to deploy a shell script, followed by commands to install a cryptocurrency miner and the PeerBlight backdoor.
In other instances, attackers executed discovery commands and attempted to download multiple payloads from command-and-control (C2) servers. Notably, some intrusions targeted Linux hosts to deploy the XMRig cryptocurrency miner. Attackers also utilized publicly available GitHub tools to identify vulnerable Next.js instances before initiating attacks.
Automated Exploitation Techniques
The consistent attack patterns across multiple endpoints suggest the use of automated exploitation tools. Indicators include identical vulnerability probes, shell code tests, and C2 infrastructure. The deployment of Linux-specific payloads on Windows systems further implies that the automation does not differentiate between target operating systems.
Detailed Analysis of Deployed Payloads
The following payloads have been identified in these attacks:
– sex.sh: A bash script that downloads XMRig 6.24.0 directly from GitHub.
– PeerBlight: A Linux backdoor with code overlaps with RotaJakiro and Pink malware families. It installs a systemd service for persistence and masquerades as the ksoftirqd daemon process to evade detection.
– CowTunnel: A reverse proxy that initiates outbound connections to attacker-controlled FRP servers, bypassing firewalls monitoring only inbound connections.
– ZinFoq: A Go-based post-exploitation implant with capabilities including interactive shell access, file operations, network pivoting, and timestomping.
– d5.sh: A dropper script responsible for deploying the Sliver C2 framework.
– fn22.sh: A variant of d5.sh with an added self-update mechanism to fetch and restart new versions of the malware.
– wocaosinm.sh: A variant of the Kaiji DDoS malware, incorporating remote administration, persistence, and evasion capabilities.
PeerBlight’s Advanced Capabilities
PeerBlight communicates with a hard-coded C2 server (185.247.224[.]41:8443) and supports functionalities such as uploading/downloading/deleting files, spawning a reverse shell, modifying file permissions, executing arbitrary binaries, and self-updating. It employs a domain generation algorithm (DGA) and utilizes the BitTorrent Distributed Hash Table (DHT) network as fallback C2 mechanisms.
Upon joining the DHT network, PeerBlight registers itself with a node ID beginning with the hardcoded prefix LOLlolLOL, serving as an identifier for infected hosts.
Recommendations for Mitigation
Given the active exploitation of the React2Shell vulnerability, it is imperative for organizations to:
– Apply Patches Promptly: Ensure that all systems running React Server Components are updated to the latest versions that address CVE-2025-55182.
– Monitor Network Traffic: Implement monitoring solutions to detect unusual outbound connections, which may indicate the presence of reverse proxies like CowTunnel.
– Conduct Regular Security Audits: Perform comprehensive security assessments to identify and remediate potential vulnerabilities within the infrastructure.
– Educate Employees: Provide training on recognizing phishing attempts and other social engineering tactics that could lead to initial compromise.
By adopting these measures, organizations can enhance their resilience against the exploitation of critical vulnerabilities like React2Shell and mitigate the risks associated with advanced malware deployments.
