React2Shell Wave Drops Miners and Novel Linux Malware

Threat actors are aggressively exploiting React2Shell, a maximum-severity flaw in React Server Components (CVE-2025-55182), to deliver cryptominers and several newly observed malware families across multiple sectors. Huntress reports broad, automated campaigns hitting organizations since early December 2025, with construction and entertainment among the most targeted.

How the intrusions unfold

• Attackers scan for vulnerable Next.js and React Server Components, often using public GitHub tooling.
• Initial access commonly involves dropping shell scripts, then fetching additional payloads from command-and-control (C2) infrastructure.
• Campaigns show automation: identical probes and tooling are used across endpoints, including attempts to deploy Linux payloads on Windows systems.

Notable payloads spotted

• sex.sh: Fetches XMRig 6.24.0 directly from GitHub.
• PeerBlight: Linux backdoor with overlaps to RotaJakiro and Pink (2021). Persists via systemd, masquerades as ksoftirqd, and supports file ops, reverse shell, arbitrary execution, and self-update.
• CowTunnel: Reverse proxy using Fast Reverse Proxy (FRP) servers to bypass inbound-only firewalls.
• ZinFoq: Go-based Linux post-exploitation implant with interactive shell, file and directory operations, network pivoting, timestomping, SOCKS5 proxy, TCP port forwarding, and reverse PTY shell.
• d5.sh: Dropper for the Sliver C2 framework.
• fn22.sh: d5.sh variant with a self-update routine.
• wocaosinm.sh: Kaiji DDoS malware variant with remote admin, persistence, and evasion features.

PeerBlight’s resilient C2

• Primary C2: 185.247.224[.]41:8443. Also uses a domain generation algorithm and the BitTorrent DHT as fallback.
• DHT beaconing uses a node ID prefix LOLlolLOL (9 bytes), with the remaining 11 bytes randomized; over 60 nodes with this prefix were observed.
• Infected bots share C2 configuration only under strict conditions (valid version, available config, correct transaction ID) and only about one-third of the time to reduce noise.

ZinFoq’s stealth and reach

• Beacons to its C2 and executes commands via /bin/bash, enumerates directories, exfiltrates files and system data, and can download additional payloads.
• Clears bash history and disguises itself as one of 44 legitimate Linux services (e.g., /sbin/audispd, /usr/sbin/ModemManager, /usr/libexec/colord, /usr/sbin/cron -f).

Scale of exposure

• Shadowserver detected 165,000+ IPs and 644,000 domains running vulnerable code as of December 8, 2025. Top affected regions: U.S. (~99,200 instances), Germany (~14,100), France (~6,400), and India (~4,500).

Campaign expansion (December 10, 2025 update)

• Palo Alto Networks Unit 42 observed likely overlap with the Contagious Interview campaign delivering EtherRAT, plus activity tied to BPFDoor and Auto-Color.
• More than 50 organizations across finance, business services, higher ed, high-tech, government, consulting, media, legal, telecom, and retail were impacted, spanning the U.S., Asia, South America, and the Middle East.

Industry view: patch now

• Wiz reports more than 15 distinct clusters, from opportunistic cryptomining to sophisticated backdoors and post-exploitation toolsets.
• Rapid7 notes attackers include low-skill actors (e.g., Mirai, miners) and nation-states, with signs of tooling overlap with ransomware groups.
• VulnCheck warns the exploitation will likely have a long tail; defenders should consider PoC variants and payload mutations in detections.

What organizations should do

• Immediately update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
• Hunt for indicators: XMRig downloads, FRP-based outbound tunnels, Sliver C2 activity, suspicious systemd services (e.g., ksoftirqd imposters), and DHT traffic patterns using the LOLlolLOL prefix.
• Strengthen monitoring for automated exploitation patterns, cross-OS payload drops, and stealthy Linux services.

Source: The Hacker News