React2Shell Exploitation Surges, Delivering Novel Malware and Crypto Miners
The critical security flaw in React Server Components (RSC), dubbed React2Shell, is experiencing widespread exploitation. Threat actors are actively leveraging this maximum-severity vulnerability to deploy cryptocurrency miners and a range of previously undocumented malware families, including a Linux backdoor named PeerBlight, a reverse proxy tunnel called CowTunnel, and a Go-based post-exploitation implant known as ZinFoq. These findings originate from recent analysis by cybersecurity firm Huntress.
Huntress reports observing attackers targeting numerous organizations through CVE-2025-55182, a critical vulnerability in RSC that allows for unauthenticated remote code execution. As of December 8, 2025, these malicious activities have been directed at a broad spectrum of sectors, with a noticeable focus on the construction and entertainment industries. The initial recorded exploitation attempt on a Windows endpoint by Huntress occurred on December 4, 2025. In this instance, an unknown threat actor exploited a vulnerable Next.js instance to deploy a shell script, followed by commands to install a cryptocurrency miner and a Linux backdoor. Further investigation revealed two additional cases where attackers launched discovery commands and attempted to download various payloads from command-and-control (C2) servers. Notably, some intrusions specifically targeted Linux hosts to deploy the XMRig cryptocurrency miner. The attackers were also seen utilizing a publicly available GitHub tool to identify vulnerable Next.js instances prior to launching their attacks.
Automated Exploitation and Diverse Malware Arsenal
Huntress researchers noted a consistent pattern across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure. This leads to the assessment that the threat actor is likely employing automated exploitation tooling. The attempts to deploy Linux-specific payloads on Windows endpoints further support this theory, suggesting the automation does not differentiate between target operating systems.
The payloads observed in these attacks include several distinct tools. A bash script named “sex.sh” is responsible for retrieving XMRig 6.24.0 directly from GitHub. PeerBlight, a Linux backdoor, exhibits code overlaps with the RotaJakiro and Pink malware families, which were identified in 2021. It establishes persistence by installing a systemd service and masquerades as a “ksoftirqd” daemon process to evade detection. CowTunnel functions as a reverse proxy, initiating outbound connections to attacker-controlled Fast Reverse Proxy (FRP) servers, thereby bypassing firewalls configured to monitor only inbound traffic. ZinFoq is a Linux ELF binary that serves as a post-exploitation framework, offering capabilities such as interactive shell access, file operations, network pivoting, and timestomping. Additionally, “d5.sh” is a dropper script designed to deploy the Sliver C2 framework, while “fn22.sh” is a variant of “d5.sh” that includes a self-update mechanism. “wocaosinm.sh,” a variant of the Kaiji DDoS malware, incorporates remote administration, persistence, and evasion features.
PeerBlight’s Sophisticated C2 Strategy
PeerBlight is capable of establishing communication with a hard-coded C2 server at “185.247.224[.]41:8443.” This allows it to perform various operations such as uploading/downloading/deleting files, spawning a reverse shell, modifying file permissions, executing arbitrary binaries, and updating itself. The backdoor also employs a domain generation algorithm (DGA) and the BitTorrent Distributed Hash Table (DHT) network as fallback C2 mechanisms. Upon joining the DHT network, PeerBlight registers itself with a node ID beginning with the hardcoded prefix “LOLlolLOL.” This 9-byte prefix acts as an identifier for the botnet, with the remaining 11 bytes of the 20-byte DHT node ID being randomized. When the backdoor receives DHT responses containing node lists, it scans for other nodes whose IDs start with “LOLlolLOL,” indicating either another infected machine or an attacker-controlled node that can provide C2 configuration. Huntress identified over 60 unique nodes with this prefix. Several conditions must be met for an infected bot to share its C2 configuration with another node, including a valid client version, configuration availability on the responding bot’s side, and the correct transaction ID. Even when these conditions are met, bots only share configuration approximately one-third of the time, based on a random check, potentially to reduce network noise and avoid detection.
ZinFoq’s Evasive Tactics
Similarly, ZinFoq beacons out to its C2 server and is equipped to parse incoming instructions. It can execute commands using “/bin/bash,” enumerate directories, read or delete files, download additional payloads from specified URLs, exfiltrate files and system information, start/stop SOCKS5 proxy services, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo-terminal (PTY) shell connection. ZinFoq also actively clears bash history and disguises its presence by impersonating one of 44 legitimate Linux system services, such as “/sbin/audispd,” “/usr/libexec/colord,” or “/usr/sbin/cron -f.”
Organizations utilizing react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are strongly advised to update their systems immediately due to the “potential ease of exploitation and the severity of the vulnerability,” according to Huntress. This advisory comes as the Shadowserver Foundation reported detecting over 165,000 IP addresses and 644,000 domains with vulnerable code as of December 8, 2025, following “scan targeting improvements.” The United States accounts for over 99,200 of these vulnerable instances, followed by Germany with 14,100, France with 6,400, and India with 4,500.
The ongoing exploitation of React2Shell highlights the persistent threat posed by critical vulnerabilities in modern web development frameworks. The deployment of diverse and sophisticated malware, coupled with automated exploitation, underscores the need for immediate patching and robust security monitoring. Organizations across all sectors must remain vigilant and prioritize the mitigation of CVE-2025-55182 to prevent further compromise. The continued expansion of vulnerable infrastructure detected by organizations like Shadowserver suggests that the threat landscape remains dynamic, and ongoing efforts to scan and remediate these vulnerabilities will be crucial in the coming months.