Security researchers are reporting sustained and widespread abuse of the React2Shell vulnerability, with attackers exploiting a maximum severity flaw in React Server Components to deploy cryptocurrency miners and several previously undocumented malware strains.
According to new findings released by Huntress, threat actors are actively leveraging CVE-2025-55182, a critical unauthenticated remote code execution vulnerability in React Server Components. The activity has been observed across multiple sectors, with construction and entertainment organizations emerging as primary targets as of December 8, 2025.
The malicious campaigns involve the delivery of multiple payloads, including a Linux backdoor known as PeerBlight, a reverse proxy tunneling tool called CowTunnel, and a Go based post exploitation implant tracked as ZinFoq. In addition, attackers are deploying cryptocurrency miners, most notably XMRig, to monetize compromised systems.
Huntress confirmed that the first known Windows based exploitation attempt occurred on December 4, 2025. In that incident, an unidentified threat actor abused a vulnerable Next.js instance to execute a shell script, which was then used to install a crypto miner and a Linux backdoor. In other intrusions, attackers ran reconnaissance commands and attempted to retrieve additional payloads from remote command and control infrastructure. Some attacks specifically targeted Linux hosts and made use of publicly available GitHub tooling to identify exposed Next.js environments before exploitation.
“Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and shared command and control infrastructure, we assess that the activity is largely automated,” Huntress researchers stated. The automation was further evidenced by Linux specific payloads being deployed on Windows systems, indicating a lack of operating system awareness in the attack tooling.
Among the payloads identified in these campaigns are multiple scripts and malware families. The sex.sh script retrieves XMRig version 6.24.0 directly from GitHub. PeerBlight is a Linux backdoor that shares partial code similarities with the RotaJakiro and Pink malware families first documented in 2021. It establishes persistence via a systemd service and disguises itself as a ksoftirqd daemon process to evade detection. CowTunnel functions as a reverse proxy that creates outbound connections to attacker controlled Fast Reverse Proxy servers, allowing it to bypass firewall rules that primarily inspect inbound traffic. ZinFoq is a Linux ELF binary that provides attackers with interactive shell access, file management, network pivoting, and timestomping features. Additional scripts such as d5.sh and fn22.sh are used to deploy and update the Sliver command and control framework, while wocaosinm.sh represents a modified Kaiji DDoS malware variant with enhanced persistence and evasion capabilities.
PeerBlight communicates with a hard coded command and control server and supports extensive functionality, including file transfer, reverse shell creation, permission changes, binary execution, and self updates. It also employs a domain generation algorithm and the BitTorrent Distributed Hash Table network as fallback command and control channels. Huntress identified more than 60 unique nodes using a distinctive LOLlolLOL prefix within the DHT network, which serves as an identifier for infected hosts and attacker controlled nodes.
ZinFoq exhibits similar command and control behavior, enabling attackers to execute bash commands, enumerate directories, manipulate files, exfiltrate data, manage SOCKS5 proxies, configure TCP port forwarding, and establish reverse pseudo terminal shells. The implant clears bash history and masquerades as legitimate Linux services such as audispd, ModemManager, colord, or cron to conceal its presence.
Organizations using react server dom webpack, react server dom parcel, or react server dom turbopack are strongly advised to apply security updates immediately due to the ease of exploitation and the severity of the flaw.
Separate telemetry from Shadowserver Foundation revealed more than 165,000 IP addresses and approximately 644,000 domains hosting vulnerable code as of December 8, 2025. The majority of affected systems are located in the United States, followed by Germany, France, and India.
In an update issued on December 10, 2025, Palo Alto Networks Unit 42 reported activity likely overlapping with the Contagious Interview campaign used to distribute EtherRAT. Additional malware families observed include BPFDoor and Auto Color. More than 50 organizations across sectors such as finance, government, education, telecommunications, retail, and media have been impacted globally.
Further analysis from Wiz indicates at least 15 distinct attacker clusters exploiting React2Shell, ranging from opportunistic cryptomining operations to sophisticated post exploitation frameworks.
“This is a patch now situation,” said Christiaan Beek of Rapid7, warning that exploitation is occurring simultaneously across the threat landscape, including activity linked to ransomware and nation state actors.
Meanwhile, VulnCheck cautioned that React2Shell exploitation is likely to have a long tail, urging defenders to account for evolving proof of concept variants and modified payloads when building detection and response strategies.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
