React2 shell Threat actors continue to witness large-scale exploitation of maximum-severity security flaws in React Server Components (RSC) to distribute cryptocurrency miners and a range of previously undocumented malware families, according to new research from Huntress.
This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel called CowTunnel, and a Go-based post-exploitation implant called ZinFoq.
The cybersecurity firm said it has observed attackers targeting a number of organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these initiatives cover a wide range of sectors, but particularly the construction and entertainment industries.
Huntress’ first exploitation attempt on Windows endpoints dates back to December 4, 2025. This time, an unknown attacker exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor.
In two other cases, the attacker was observed attempting to launch discovery commands and download some payloads from command and control (C2) servers. Some notable intrusions included dropping the XMRig cryptocurrency miner on a Linux host and leveraging publicly available GitHub tools to identify vulnerable Next.js instances before launching an attack.
“Based on consistent patterns observed across multiple endpoints, including identical vulnerability probes, shellcode tests, and C2 infrastructure, we assess that threat actors are likely leveraging automated exploitation tools,” Huntress researchers said. “This is further supported by attempts to deploy Linux-specific payloads to Windows endpoints, indicating that the automation does not differentiate between target operating systems.”
A brief description of some of the payloads downloaded in these attacks is as follows:
- sex.shbash script to get XMRig 6.24.0 directly from GitHub
- peer brighta Linux backdoor that shares some code overlap with RotaJakiro and Pink, two malware families uncovered in 2021, installs a systemd service to ensure persistence and masquerades as the “ksoftirqd” daemon process to evade detection.
- cow tunnela reverse proxy that initiates outbound connections to an attacker-controlled Fast Reverse Proxy (FRP) server, effectively bypassing firewalls configured to only monitor incoming connections.
- Jinfokua Linux ELF binary that implements a post-exploitation framework with interactive shell, file manipulation, network pivoting, and time-stomping capabilities.
- d5.shthe dropper script responsible for deploying the Sliver C2 framework.
- fn22.sha variant of d5.sh that adds a self-update mechanism to obtain new versions of the malware and reboot.
- wokaosinmu.sha variant of Kaiji DDoS malware that incorporates remote management, persistence, and evasion capabilities.
PeerBlight supports the ability to establish communication with a hard-coded C2 server (‘185.247.224(.)41:8443’), allowing you to upload/download/delete files, generate a reverse shell, change file permissions, run arbitrary binaries, and update the server itself. This backdoor also utilizes the Domain Generation Algorithm (DGA) and BitTorrent Distributed Hash Table (DHT) network as a fallback C2 mechanism.
“Upon joining the DHT network, the backdoor registers itself using a node ID that begins with the hardcoded prefix LOLlolLOL,” the researchers explained. “This 9-byte prefix serves as the botnet identifier, and the remaining 11 bytes of the 20-byte DHT node ID are randomized.”
“When the backdoor receives a DHT response containing a list of nodes, it scans for other nodes whose IDs start with LOLlolLOL. If it finds a match, it knows it’s either another infected machine or an attacker-controlled node that can provide the C2 configuration.”
Huntress said they have identified more than 60 unique nodes with the LOLlolLOL prefix, adding that for an infected bot to share its C2 configuration with another node, multiple conditions must be met, including a valid client version, availability of the configuration on the responding bot side, and correct transaction ID.
Even if all the necessary conditions are met, the bot is designed to only share its configuration one-third of the time based on random checks, presumably to reduce network noise and avoid detection.
ZinFoq uses a similar method to send beacons to the C2 server, parse received instructions and execute commands using “/bin/bash”, enumerate directories, read or delete files, download payloads from specified URLs, extract files and system information, start/stop SOCKS5 proxies, enable/disable TCP port forwarding, modify file access and modification times, reverse pseudo-terminal (PTY) It has the ability to establish shell connections.
ZinFoq also takes steps to erase bash history and hides its existence by masquerading as one of 44 legitimate Linux system services (such as “/sbin/audispd”, “/usr/sbin/ModemManager”, “/usr/libexec/colord”, or “/usr/sbin/cron -f”).
Huntress said that organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are encouraged to update immediately due to the “easiness of exploitation and severity of the vulnerabilities.”
The development comes after the Shadowserver Foundation announced that it had detected more than 165,000 IP addresses and 644,000 domains containing vulnerable code as of December 8, 2025 after “improving scan targets.” More than 99,200 cases are in the United States, followed by Germany (14,100), France (6,400) and India (4,500).
