- React2Shell exploit leverages a critical security flaw in React Server Components (RSC) for remote code execution and Malware deployment.
- Attackers distribute diverse malware, including the PeerBlight Linux backdoor, CowTunnel proxy, and ZinFoq post-exploitation tool.
- Tens of thousands of vulnerable instances remain globally, with notable concentrations in the U.S., Germany, France, and India.
- Automated attacks target various sectors, mainly construction and entertainment, often using publicly available tools to locate vulnerable Next.js servers.
- Immediate updates to affected React Server Component packages are strongly advised due to the high risk of exploitation.
React2Shell continues to see heavy use by cybercriminals exploiting a severe security vulnerability in React Server Components (RSC). As disclosed in recent reports from Huntress, threat actors use this flaw, tracked as CVE-2025-55182, to perform unauthenticated remote code execution. Since early December 2025, multiple industries, especially construction and entertainment, have been targeted worldwide.
Initial attacks were observed on December 4, 2025, where attackers exploited vulnerable Next.js applications to deliver a cryptocurrency miner and the Linux backdoor PeerBlight. These campaigns involve automated tools that indiscriminately deploy Linux and Windows payloads, including attempts to execute discovery commands and fetch malicious files from command-and-control (C2) servers.
Among the malware payloads identified are:
– sex.sh: A Bash script that downloads the XMRig cryptocurrency miner version 6.24.0 directly from GitHub.
– PeerBlight: A stealthy Linux backdoor sharing code with older malware families RotaJakiro and Pink. It persists by installing a systemd service and disguises itself as the “ksoftirqd” daemon process.
– CowTunnel: A reverse proxy creating outbound connections to attacker-controlled Fast Reverse Proxy servers, bypassing firewall restrictions.
– ZinFoq: A Go-based Linux ELF implant enabling interactive shells, file manipulation, network pivoting, and timestomping.
Other scripts such as d5.sh and fn22.sh deploy or update the Sliver C2 framework, while wocaosinm.sh is a variant of the Kaiji DDoS malware with added persistence and evasion.
The PeerBlight backdoor communicates with a hardcoded C2 address (“185.247.224[.]41:8443”) to perform file operations, spawn reverse shells, and self-update. It also uses a domain generation algorithm (DGA) combined with the BitTorrent Distributed Hash Table (DHT) network to discover other infected nodes. According to researchers, infected bots register with DHT node IDs starting with the prefix “LOLlolLOL” to identify fellow bots or attacker nodes.
Similarly, ZinFoq connects to its C2 server to execute commands through “/bin/bash,” manage files, download additional payloads, and establish reverse shells. It erases bash history for stealth and impersonates 44 legitimate Linux system services to avoid detection.
Due to the potential ease of exploitation and high impact of this vulnerability, organizations using react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are urged to apply updates immediately.
The Shadowserver Foundation reports over 165,000 IPs and 644,000 domains Hosting vulnerable code as of December 8, 2025. More than 99,200 instances are in the United States, followed by Germany (14,100), France (6,400), and India (4,500). The volume of exposed servers highlights a significant ongoing risk related to this flaw.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
