Prepared by: Rescana OSINT Cybersecurity Research Team Sources: Cloudflare, Huntress, NVD, Assetnote, Vercel, public threat intelligence feeds

Executive Summary

The critical React2Shell vulnerability (CVE-2025-55182) in React Server Components (RSC) has been weaponized and is being actively exploited in the wild. Within hours of public disclosure, threat actors—primarily Asia-linked groups—began mass scanning and exploitation campaigns. These attacks have resulted in the deployment of advanced Linux backdoors (PeerBlight), cryptominers, reverse proxy tunnels (CowTunnel), and post-exploitation implants (ZinFoq), as well as the distribution of botnet malware (Kaiji). The exploitation is widespread, targeting organizations globally, including government, critical infrastructure, and technology providers.

Technical Details

Vulnerability Overview

• CVE: CVE-2025-55182 (React2Shell)

• CVSS: 10.0 (Critical)

• Component: React Server Components (RSC) Flight protocol

• Root Cause: Unsafe deserialization flaw in RSC Flight data-handling logic, allowing unauthenticated remote code execution (RCE) via a single crafted HTTP request.

• Affected Packages:

• react-server-dom-webpack

  (19.0, 19.1.0, 19.1.1, 19.2.0)

• react-server-dom-parcel

• react-server-dom-turbopack

• Patched Versions: 19.0.1, 19.1.2, 19.2.1 (React Blog)

Exploitation Flow

• Attackers craft a malicious RSC Flight payload exploiting the deserialization logic.

• The payload abuses the "thenable" (Promise-like) handling in React, leading to arbitrary JavaScript execution on the server.

• No authentication or user interaction is required.

Related Vulnerabilities

• CVE-2025-55183: Leaking Server Functions (source code disclosure)

• CVE-2025-55184: React Function DoS (infinite recursion/DoS via cyclic Promises)

Exploitation in the Wild

Observed Tactics, Techniques, and Procedures (TTPs)

• Reconnaissance:

• Internet-wide scanning using tools like Nuclei, Assetnote’s react2shell-scanner, and asset discovery platforms.

• Filtering targets by metadata (icon hashes, SSL certs, TLDs, geo-IP).

• Exploitation:

• Automated exploitation using custom and public tools.

• Payload delivery via direct HTTP requests.

• Post-Exploitation:

• Deployment of Linux backdoors (PeerBlight), cryptominers (XMRig), reverse proxies (CowTunnel), and Go-based implants (ZinFoq).

• Use of persistence, process masquerading, anti-forensics, and network pivoting.

MITRE ATT&CK Mapping

• Initial Access: Exploit Public-Facing Application (T1190)

• Execution: Command and Scripting Interpreter (T1059)

• Persistence: Create or Modify System Process (T1543), Boot or Logon Initialization Scripts (T1037)

• Defense Evasion: Masquerading (T1036), Indicator Removal on Host (T1070)

• Command and Control: Application Layer Protocol (T1071), Peer-to-Peer Communication (T1095)

• Lateral Movement: Internal Proxy (T1090.001)

• Credential Access: OS Credential Dumping (T1003) [potential via post-exploitation]

• Collection/Exfiltration: Automated Collection (T1119), Exfiltration Over C2 Channel (T1041)

Malware and Payloads Observed

1. PeerBlight (Linux Backdoor)

• C2: 185.247.224[.]41:8443, 49.51.230[.]175:9898 (via BitTorrent DHT)

• Persistence: systemd, Upstart, user-mode, process masquerading as [ksoftirqd]

• Features: Reverse shell, file download/upload, process management, DGA, P2P fallback

• Overlap: Shares code with RotaJakiro, Pink botnet, Torii

2. CowTunnel (Reverse Proxy Tunnel)

• C2: 23.226.71[.]197, 23.226.71[.]200, 23.226.71[.]209

• Features: Outbound FRP tunnel, telnetd, SOCKS5, HTTP, FTP, RDP proxy, user account creation

3. ZinFoq (Go Post-Exploitation Implant)

• C2: api.qtss[.]cc (HTTPS, masquerades as Safari)

• Features: Interactive shell, file operations, SOCKS5 proxy, timestomping, process masquerading

4. Kaiji Botnet Variant

• Features: DDoS, persistence, process masquerading, hardware watchdog abuse

5. Cryptominers

• XMRig deployed via scripts (e.g., sex.sh), mining to pool.hashvault[.]pro

Indicators of Compromise (IOCs)

Hashes: - PeerBlight: a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d - CowTunnel: 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273 - ZinFoq: 0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce - d5.sh dropper: 3854862bb3ee623f95d91fa15b504e2bbc30e23f1a15ad7b18aedb127998c79c - Sliver payload: 2cd41569e8698403340412936b653200005c59f2ff3d39d203f433adb2687e7f - fn22.sh dropper: 65d840b059e01f273d0a169562b3b368051cfb003e301cc2e4f6a7d1907c224a

C2 Domains/URLs: - hxxp://216.158.232[.]43:12000/sex.sh - hxxp://45.32.158[.]54/5e51aff54626ef7f/x86_64 - hxxp://45.76.155[.]14/vim - hxxp://103.135.101[.]15/wocaosinm.sh - hxxp://31.56.27[.]97/scripts/4thepool_miner.sh - hxxp://39.97.229[.]220:8006/httd - hxxp://38.165.44[.]205/1 - hxxp://38.165.44[.]205/k - hxxp://keep.camdvr[.]org:8000/d5.sh - hxxp://keep.camdvr[.]org:8000/BREAKABLE_PARABLE5 - hxxp://help.093214[.]xyz:9731/fn32.sh - hxxp://vps-zap812595-1.zap-srv[.]com:3000/sex.sh - hxxp://help.093214[.]xyz:9731/FF22 - hxxps://api.qtss[.]cc:443/en/about?source=redhat&id=v1.0 (ZinFoq beacon) - pool.hashvault[.]pro (XMRig mining pool)

User-Agents: - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0 (react2shell-scanner) - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50 (ZinFoq)

Persistence/Process Names: - /lib/systemd/system/systemd-agent.service - /bin/systemd-daemon - /etc/init/systemd-agent.conf - /usr/bin/sshd-agent - ~/.config/.system-monitor/.sys-mon - /tmp/.system-update/ - /home/<user>/.systemd-utils/conf - [ksoftirqd] (process masquerading)

Attribution & Threat Actor Activity

• Attribution:

• Early exploitation traced to Asia-linked threat actor clusters (Cloudflare, AWS).

• Targeting patterns suggest state-aligned or APT-level actors, with focus on Taiwan, Xinjiang, Vietnam, Japan, New Zealand, and critical infrastructure.

• Some campaigns overlap with known botnet operators (Pink, RotaJakiro, Torii, Kaiji).

• [No direct public APT group name attribution as of this report, but TTPs align with known Chinese and North Korean cyber operations.]

Exploitation Timeline

• 2025-12-03: Public disclosure of CVE-2025-55182.

• Within hours: Mass scanning and exploitation observed.

• 2025-12-04+: Active deployment of malware, cryptominers, and backdoors across multiple sectors.

Detection & Mitigation

• Detection:

• Monitor for suspicious process names ([ksoftirqd], systemd-agent, etc.).

• Look for outbound connections to listed C2s and mining pools.

• Watch for the listed User-Agent strings in web logs.

• Use YARA/Sigma rules for PeerBlight, CowTunnel, ZinFoq (see Huntress blog for rules).

• Mitigation:

• Patch all affected React/Next.js assets to fixed versions immediately.

• Remove or isolate compromised hosts; investigate for persistence and lateral movement.

• Review and clean up any unauthorized systemd, Upstart, or crontab entries.

References

• Cloudflare Threat Brief

• Huntress PeerBlight Linux Backdoor Exploits React2Shell

• Assetnote react2shell-scanner

• React Security Advisory

• NVD CVE-2025-55182

• Vercel fix-react2shell-next

• AWS Security Blog

• DarkReading: React2Shell Exploits Flood the Internet

About Rescana

Rescana empowers organizations to proactively manage third-party risk and supply chain security through its advanced TPRM platform. By leveraging real-time threat intelligence, automated risk assessments, and continuous monitoring, Rescana enables security teams to identify, prioritize, and mitigate emerging threats across their digital ecosystem. Our platform is designed to provide actionable insights and streamline risk management workflows, helping organizations stay ahead of evolving cyber threats.

For any questions or further assistance, please contact us at ops@rescana.com.