Threat actors have started targeting companies in the insurance, e-commerce, and IT sectors through a critical vulnerability tracked as CVE-2025-55182, commonly known as React2Shell.
This flaw exists in the Flight protocol that handles client-server communication for React Server Components, allowing attackers to run unauthorized code on vulnerable servers.
The vulnerability originates from insecure deserialization, where servers accept client data without proper verification. The attacks primarily deliver the XMRig cryptocurrency miner, alongside several dangerous botnets and remote access tools.
The exploitation campaigns have shown remarkable speed and sophistication.
BI.ZONE analysts noted that adversaries can weaponize critical vulnerabilities within hours of their disclosure, even though many such security flaws never see widespread exploitation in real-world scenarios.
The attacks targeting Russian entities specifically deployed RustoBot and Kaiji botnets, while campaigns aimed at other regions distributed a broader range of malware including CrossC2 implants, Tactical RMM, VShell backdoors, and EtherRAT trojans.
React2Shell affects multiple versions of React Server Component packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
Patches have been released in versions 19.0.1, 19.1.2, and 19.2.1. BI.ZONE researchers identified that simply fixing the vulnerability is insufficient.
Organizations must also assess their systems for indicators of successful exploitation and post-exploitation activity, as these attacks often involve diverse malicious operations.
Beyond patching, developers should verify their Next.js versions and dependencies, rebuild projects after updates, and check lock files to confirm vulnerable package versions have been removed.
Experts recommend restricting experimental React Server Components features in production environments unless covered by current security patches.
Infection Mechanism and Malware Deployment
The attack chain begins when threat actors exploit React2Shell to execute commands inside compromised containers. After gaining initial access, attackers download and execute Bash scripts from remote servers to deploy malicious payloads.
The wocaosinm.sh script, for instance, downloads architecture-specific ELF executables identified as the Kaiji botnet, which performs DDoS attacks and establishes persistence through systemd services, crontab tasks, and modified system utilities.
Another deployment method involves the setup2.sh script, which installs XMRig version 6.24.0 by downloading a compressed archive containing the miner configuration and executable.
The alive.sh script then terminates any process consuming 40% CPU or more, except for the XMRig miner itself and other whitelisted processes.
Attackers also use DNS tunneling through tools like nslookup to exfiltrate command execution results, sending information to external domains using encoded subdomain queries.
The CrossC2 framework payloads for Cobalt Strike represent another sophisticated attack vector.
These UPX-packed executables contain encrypted configurations embedded at the end of the file, decrypted using AES-128-CBC algorithm.
The check.sh script saves these payloads as rsyslo and creates a systemd service for persistence, disguising the malware as “Rsyslo AV Agent Service” to avoid detection.
The EtherRAT malware demonstrates exceptional persistence capabilities by establishing five different methods: systemd services, XDG Autostart entries, crontab tasks, .bashrc modifications, and .profile alterations.
This JavaScript-based malware retrieves its command-and-control server address from an Ethereum smart contract, making traditional blocking methods less effective.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Read more on Cyber Security News
