Full Report
React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based
Analysis Summary
# Incident Report: Aggressive Exploitation of React2Shell (RSC) Leading to Cryptomining and New Malware Deployment
## Executive Summary
Threat actors are aggressively exploiting the maximum-severity vulnerability, CVE-2025-55182, in React Server Components (RSC) to gain unauthenticated remote code execution. The exploitation results in the deployment of cryptocurrency miners (XMRig) and novel malware families, including the Linux backdoor PeerBlight, the CowTunnel reverse proxy, and the ZinFoq implant. Observations suggest automated exploitation across multiple sectors, immediately followed by the loading of sophisticated, multi-platform payloads.
## Incident Details
- Discovery Date: December 4, 2025 (First recorded exploitation attempt observed by Huntress)
- Incident Date: Ongoing, exploitation observed starting December 4, 2025.
- Affected Organization: Numerous organizations across multiple sectors (prominently construction and entertainment industries).
- Sector: Construction, Entertainment, and others utilizing vulnerable RSC implementations (e.g., Next.js).
- Geography: Not explicitly stated, but targeted globally based on industry scope.
## Timeline of Events
### Initial Access
- Date/Time: Starting December 4, 2025.
- Vector: Unauthenticated Remote Code Execution (RCE) via **CVE-2025-55182** in React Server Components (RSC).
- Details: Attackers used automated tooling to probe for and exploit vulnerable Next.js instances, initially dropping a shell script on Windows endpoints.
### Lateral Movement
- Details: Not fully detailed, but the deployment of the **CowTunnel** reverse proxy suggests a tactic to establish persistent, flexible command and control channels bypassing inbound firewall restrictions. **ZinFoq** provides post-exploitation capabilities including network pivoting.
### Data Exfiltration/Impact
- Details: Primary immediate impact is **cryptocurrency mining** (using XMRig). Secondary impact involves the establishment of sophisticated backdoors (**PeerBlight**) and command-and-control infrastructure, setting the stage for deeper compromise, file manipulation, and potential data theft (though data exfiltration was not the primary observed goal).
### Detection & Response
- Detection: Discovered through findings reported by Huntress, analyzing post-exploitation activity.
- Response actions taken: Analysis and public disclosure of the threat and associated malware families. (Specific internal organizational response actions are not documented in the provided text).
## Attack Methodology
- Initial Access: Exploitation of **CVE-2025-55182** (Unauthenticated RCE in RSC).
- Persistence: Use of the **PeerBlight** Linux backdoor, which installs a `systemd` service and reportedly masquerades as a `ksoftirqd` daemon process.
- Privilege Escalation: Not explicitly detailed, but achieving RCE on the server context implies access at or near the application's privilege level.
- Defense Evasion: PeerBlight attempts to evade detection by masquerading as a legitimate Linux daemon. **CowTunnel** evades firewall detection by initiating outbound connections to C2. Later payloads (like `fn22.sh`) include self-update mechanisms.
- Credential Access: Not explicitly detailed in initial phases.
- Discovery: Attackers launched discovery commands post-exploitation. Public GitHub tools were leveraged to find vulnerable Next.js instances *prior* to attack execution.
- Lateral Movement: Implied by post-exploitation implants like **ZinFoq** (Pivoting capabilities).
- Collection: Gathering resources necessary to run XMRig and maintain C2.
- Exfiltration: Not the primary focus, but C2 capabilities allow for file transfer.
- Impact: Resource exhaustion (cryptomining) and establishment of persistent remote access via multiple backdoors.
## Impact Assessment
- Financial: Indirect costs related to seized computing resources for cryptomining and costs associated with remediation and investigation.
- Data Breach: No confirmed high-volume data exfiltration immediately reported, but the deployment of advanced backdoors (PeerBlight, ZinFoq) indicates potential for future data compromise.
- Operational: Potential degradation of server performance due to CPU/resource usage from cryptocurrency miners.
- Reputational: Risk of reputational damage for organizations running vulnerable RSC applications.
## Indicators of Compromise
- Network Indicators (C2): `185.247.224[.]41:8443` (Hardcoded C2 for PeerBlight)
- File Indicators: `sex.sh`, `PeerBlight`, `CowTunnel`, `ZinFoq`, `d5.sh`, `fn22.sh`, `wocaosinm.sh`, XMRig binaries.
- Behavioral Indicators: Deployment of `systemd` services masquerading as `ksoftirqd`; utilization of BitTorrent DHT network for C2 with node IDs starting with the prefix `LOLlolLOL`.
## Response Actions
- Containment measures: Not detailed, but essential steps would involve patching CVE-2025-55182 immediately.
- Eradication steps: Removal of all discovered payloads (bash scripts, ELF binaries) and disabling associated persistence mechanisms (systemd services). Isolation of compromised hosts from the internet and internal network segments.
- Recovery actions: Restoring services post-validation that all C2 channels are closed and persistence mechanisms are removed.
## Lessons Learned
- The severity of RCE vulnerabilities in modern development frameworks (RSC) cannot be overstated, as it enables automated, widespread exploitation.
- Threat actors are rapidly incorporating novel, bespoke malware (**PeerBlight, CowTunnel, ZinFoq**) into established exploitation patterns like cryptomining.
- The observed automation suggests a low barrier to entry for mass exploitation campaigns targeting this vulnerability.
- What could have been done better: Proactive security scanning and vulnerability management specific to modern frameworks like Next.js/RSC deployment environments are critical for early detection before exploitation occurs.
## Recommendations
- **Immediate Patching:** Apply immediate security updates for all React Server Component (RSC) implementations exposed to the internet, specifically addressing CVE-2025-55182.
- **Endpoint Detection:** Enhance EDR/XDR rules to specifically hunt for known indicators like the deployment of XMRig miners, the creation of systemd services masquerading as `ksoftirqd`, and outbound connections to known C2 infrastructure or unusual reverse proxy patterns (e.g., CowTunnel).
- **Network Visibility:** Implement egress traffic monitoring to detect anomalous outbound connections attempting to establish reverse proxy tunnels (FRP) or connect to known C2 IPs.
- **Asset Inventory:** Maintain a comprehensive inventory of frameworks in use (Next.js versions) to prioritize patching efforts efficiently.