Threat actors have been actively exploiting a critical vulnerability in React Server Components, tracked as CVE-2025-55182 and commonly referred to as React2Shell, to compromise systems across multiple industry sectors worldwide.
React2Shell affects the Flight protocol, which is responsible for client–server communication in React Server Components. The vulnerability arises from insecure deserialization, where servers accept client-supplied data without sufficient validation.
Under specific conditions, this allows attackers to achieve remote code execution, making CVE-2025-55182 particularly dangerous in production environments.
Exploiting CVE-2025-55182
The campaign was first observed in December 2025, shortly after details of the vulnerability became available. According to BI.ZONE Threat Detection and Response, attackers moved quickly. “In December 2025, BI.ZONE TDR detected malicious activity targeting companies in the Russian insurance, e-commerce, and IT sectors.
The threat actors leveraged the CVE-2025-55182 (React2Shell) vulnerability,” the company reported. The primary payload observed during this phase was the XMRig cryptocurrency miner, though Kaiji, Rustobot, and the Sliver implant were also deployed.
The vulnerable packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, versions 19.0 through 19.2.0. Security patches were released in 19.0.1, 19.1.2, and 19.2.1, but exploitation continued against unpatched systems.
Malware Deployment Following React2Shell Exploitation
In one documented case targeting Russian organizations, attackers exploited the React2Shell vulnerability inside a container environment and executed a chained command sequence to download an ELF binary named bot from 176.117.107[.]154. This file was identified as RustoBot, a Rust-based botnet primarily associated with attacks on TOTOLINK devices. RustoBot resolves multiple domain names, including ilefttotolinkalone.anondns[.]net and rustbot.anondns[.]net—all pointing to the IP address 45.137.201[.]137.
RustoBot is capable of launching UDP flood, TCP flood, and Raw IP flood DDoS attacks, with configurable parameters such as duration, target address, and packet size. The malware also embeds XMRig as a secondary payload, monetizing compromised infrastructure.
Following the initial infection, attackers executed Base64-encoded shell commands that retrieved additional scripts from tr.earn[.]top. One of these, apaches.sh, installed an UPX-packed XMRig binary and established persistence through systemd services and cron jobs, storing files in /usr/local/sbin when executed as root or /tmp otherwise.
Further activity included the deployment of Kaiji (Ares build) via wocaosinm.sh. Kaiji supports SYN, ACK, and UDP flood attacks, WebSocket abuse, command execution, dynamic encrypted configuration files, extensive persistence mechanisms, and replacement of system utilities such as ls, ps, and netstat. The malware also deployed XMRig and attempted to conceal its presence by masquerading as legitimate system libraries.
Attackers later delivered the Sliver implant using the d5.sh script, which handled privilege-aware persistence and aggressively erased forensic traces by clearing shell history and deleting temporary files.
Additional Campaigns and Global Targeting
In another case, attackers exploited the same React2Shell vulnerability to deploy XMRig version 6.24.0 using setup2.sh, a modified mining script. The miner configuration included a hardcoded wallet address and companion scripts, alive.sh and lived.sh, designed to terminate competing processes while preserving the miner.
A third case involved DNS-based data exfiltration. After exploiting CVE-2025-55182, attackers executed reconnaissance commands and exfiltrated results via DNS tunneling to oastify[.]com. This was followed by the installation of XMRig from GitHub and persistence via a systemd service named system-update-service.service.
Outside Russia, it has been observed that React2Shell exploitation delivers a broader malware ecosystem. Payloads included CrossC2 for Cobalt Strike, Tactical RMM, VShell, and EtherRAT. These tools enabled long-term access, command execution, encrypted C2 communication, and stealthy persistence.
EtherRAT, in particular, retrieved its command-and-control address from an Ethereum smart contract, later contacting 91.215.85[.]42:3000 to fetch JavaScript payloads.
