React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress.
This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq.
The cybersecurity company said it has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these efforts have been aimed at a wide range of sectors, but prominently the construction and entertainment industries.
The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor.
In two other cases, attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Some of the notable intrusions also singled out Linux hosts to drop the XMRig cryptocurrency miner, not to mention leveraged a publicly available GitHub tool to identify vulnerable Next.js instances before commencing the attack.
“Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling,” Huntress researchers said. “This is further supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems.”
A brief description of some of the payloads downloaded in these attacks is as follows –
- sex.sh, a bash script that retrieves XMRig 6.24.0 directly from GitHub
- PeerBlight, a Linux backdoor that shares some code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a “ksoftirqd” daemon process to evade detection
- CowTunnel, a reverse proxy that initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections
- ZinFoq, a Linux ELF binary that implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities
- d5.sh, a dropper script responsible for deploying the Sliver C2 framework
- fn22.sh, a “d5.sh” variant with an added self-update mechanism to fetch a new version of the malware and restart it
- wocaosinm.sh, a variant of the Kaiji DDoS malware that incorporates remote administration, persistence, and evasion capabilities
PeerBlight supports capabilities to establish communications with a hard-coded C2 server (“185.247.224[.]41:8443”), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. The backdoor also makes use of a domain generation algorithm (DGA) and BitTorrent Distributed Hash Table (DHT) network as fallback C2 mechanisms.
“Upon joining the DHT network, the backdoor registers itself with a node ID beginning with the hardcoded prefix LOLlolLOL,” the researchers explained. “This 9-byte prefix serves as an identifier for the botnet, with the remaining 11 bytes of the 20-byte DHT node ID randomized.”
“When the backdoor receives DHT responses containing node lists, it scans for other nodes whose IDs start with LOLlolLOL. When it finds a matching node, it knows this is either another infected machine or an attacker-controlled node that can provide C2 configuration.”
Huntress said it identified over 60 unique nodes with the LOLlolLOL prefix, adding that multiple conditions have to be met in order for an infected bot to share its C2 configuration with another node: a valid client version, configuration availability on the responding bot’s side, and the correct transaction ID.
Even when all the necessary conditions are satisfied, the bots are designed such that they only share the configuration about one-third of the time based on a random check, possibly in a bid to reduce network noise and avoid detection.
ZinFoq, in a similar manner, beacons out to its C2 server and is equipped to parse incoming instructions to run commands using using “/bin/bash,” enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection.
ZinFoq also takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services (e.g., “/sbin/audispd,” “/usr/sbin/ModemManager,” “/usr/libexec/colord,” or “/usr/sbin/cron -f”) to conceal its presence.
Organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are advised to update immediately, given the “potential ease of exploitation and the severity of the vulnerability,” Huntress said.
The development comes as the Shadowserver Foundation said it detected over 165,000 IP addresses and 644,000 domains with vulnerable code as of December 8, 2025, after “scan targeting improvements.” More than 99,200 instances are located in the U.S., followed by Germany (14,100), France (6,400), and India (4,500).
