Ethical Hacking News
React2Shell Exploitation Delivers Cryptocurrency Miners and New Malware Across Multiple Sectors: A Comprehensive Analysis
A critical vulnerability discovered in React Server Components (RSC) has been exploited by threat actors to deliver cryptocurrency miners and an array of previously undocumented malware families across multiple sectors. This development marks a significant concern for organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack, as they are advised to update immediately due to the "potential ease of exploitation and the severity of the vulnerability." The threat actors have leveraged automated exploitation tooling to deploy Linux-specific payloads on Windows endpoints, indicating a lack of differentiation between target operating systems. PeerBlight, CowTunnel, and ZinFoq are some of the malware families that have been identified in these attacks. Organizations are advised to take immediate action to patch their systems and protect themselves against this new threat.
React2Shell vulnerability exploited by threat actors to deliver cryptocurrency miners and malware across multiple sectors. CVE-2025-55182 critical security vulnerability in React Server Components (RSC) allows unauthenticated remote code execution. Attackers targeting numerous organizations, primarily in construction and entertainment industries, via automated exploitation tooling. Intrusions include deploying XMRig cryptocurrency miner and leveraging publicly available tools to identify vulnerable Next.js instances. Threat actors using automation that does not differentiate between target operating systems (e.g., Windows and Linux).
React2Shell, a recent vulnerability discovered in React Server Components (RSC), has been exploited by threat actors to deliver cryptocurrency miners and an array of previously undocumented malware families across multiple sectors. This development marks a significant concern for organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack, as they are advised to update immediately due to the "potential ease of exploitation and the severity of the vulnerability."
Huntress, a renowned cybersecurity company, has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these efforts have been aimed at a wide range of sectors, but prominently the construction and entertainment industries.
The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor. In two other cases, attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server.
Some of the notable intrusions also singled out Linux hosts to drop the XMRig cryptocurrency miner, not to mention leveraged a publicly available GitHub tool to identify vulnerable Next.js instances before commencing the attack. "Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling," Huntress researchers said.
This is further supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems. PeerBlight, a Linux backdoor that shares some code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a "ksoftirqd" daemon process to evade detection.
CowTunnel, a reverse proxy that initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections. ZinFoq, a Linux ELF binary that implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities.
A brief description of some of the payloads downloaded in these attacks includes sex.sh, a bash script that retrieves XMRig 6.24.0 directly from GitHub, PeerBlight, a Linux backdoor that shares some code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, CowTunnel, a reverse proxy that initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers.
ZinFoq also beacons out to its C2 server and is equipped to parse incoming instructions to run commands using "/bin/bash," enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times.
ZinFoq also takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services (e.g., "/sbin/audispd," "/usr/sbin/ModemManager," "/usr/libexec/colord," or "/usr/sbin/cron -f") to conceal its presence.
The Shadowserver Foundation said it detected over 165,000 IP addresses and 644,000 domains with vulnerable code as of December 8, 2025, after "scan targeting improvements." More than 99,200 instances are located in the U.S., followed by Germany (14,100), France (6,400), and India (4,500).
Organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are advised to update immediately due to the "potential ease of exploitation and the severity of the vulnerability." React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families across multiple sectors.
Related Information:
https://www.ethicalhackingnews.com/articles/React2Shell-Exploitation-Delivers-Cryptocurrency-Miners-and-New-Malware-Across-Multiple-Sectors-A-Comprehensive-Analysis-ehn.shtml
https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/
Published: Wed Dec 10 14:39:25 2025 by llama3.2 3B Q4_K_M
