Through a critical vulnerability tracked as CVE-2025-55182, also known as React2Shell, threat actors have begun to target businesses in the insurance, e-commerce, and IT sectors This article explores known react2shell threat. . Attackers can execute unauthorized code on susceptible servers due to a flaw in the Flight protocol, which manages client-server communication for React Server Components.

Insecure deserialization, in which servers accept client data without adequate verification, is the root cause of the vulnerability. The XMRig cryptocurrency miner is the main target of the attacks, along with a number of hazardous botnets and remote access tools. The speed and sophistication of the exploitation campaigns have been astounding. Although many of these security flaws are never widely exploited in real-world scenarios, BI.ZONE analysts observed that adversaries can weaponize critical vulnerabilities within hours of their disclosure.

While campaigns targeting other regions disseminated a wider variety of malware, such as CrossC2 implants, Tactical RMM, VShell backdoors, and EtherRAT trojans, the attacks specifically used RustoBot and Kaiji botnets. React-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are among the versions of React Server Component packages that React2Shell impacts. Versions 19.0.1, 19.1.2, and 19.2.1 contain patches.

BI.ZONE researchers found that merely addressing the vulnerability is not enough. Because these attacks frequently involve a variety of malicious operations, organizations must also evaluate their systems for signs of successful exploitation and post-exploitation activity. In addition to patching, developers should rebuild projects following updates, check lock files to ensure vulnerable package versions have been eliminated, and confirm their Next.js versions and dependencies.

In production settings, experts advise limiting experimental React Server Components features unless they are protected by the most recent security patches. Malware Deployment and Infection Mechanism Threat actors start the attack chain by using React2Shell to run commands inside compromised containers. Attackers download and run Bash scripts from distant servers to launch malicious payloads after obtaining initial access.

For example, the wocaosinm.sh script downloads architecture-specific ELF executables known as the Kaiji botnet, which uses systemd services, crontab tasks, and altered system utilities to launch DDoS attacks and create persistence. Script that delivers malware according to architecture (Source: Medium) Another deployment method involves the setup2.sh script, which installs XMRig version 6.24.0 by downloading a compressed archive containing the miner configuration and executable.

With the exception of the XMRig miner itself and other whitelisted processes, the alive.sh script then ends any process using 40% CPU or more. Setup2.sh fragment (Source: Medium) Additionally, attackers use DNS tunneling with tools like nslookup to send data to external domains using encoded subdomain queries and exfiltrate command execution results. Cobalt Strike's CrossC2 framework payloads are yet another advanced attack method.

The AES-128-CBC algorithm is used to decrypt the encrypted configurations that are embedded at the end of these UPX-packed executables. Check.sh fragment (Source: Medium) In order to prevent detection, the check.sh script disguises the malware as "Rsyslo AV Agent Service" and saves these payloads as rsyslo. It also creates a systemd service for persistence.

By establishing five distinct methods—systemd services, XDG Autostart entries, crontab tasks,.bashrc modifications, and.profile alterations—the EtherRAT malware exhibits remarkable persistence capabilities. Because this JavaScript-based malware uses an Ethereum smart contract to obtain its command-and-control server address, conventional blocking techniques are less successful. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.