React2Shell flaw fuels ransomware attacks

A critical vulnerability known as React2Shell is now being actively exploited by ransomware operators, posing a severe threat to corporate networks. This flaw, tracked as CVE-2025-55182, allows attackers to gain initial access and deploy file-encrypting malware in under sixty seconds. The issue stems from an insecure deserialization problem within the React Server Components ‘Flight’ protocol, which is utilized by the React library and the Next.js framework. Exploitation can occur remotely without any authentication, enabling the execution of JavaScript code directly on the server.

Shortly after its public disclosure, sophisticated nation-state groups began leveraging React2Shell for cyberespionage and to distribute malware like EtherRAT. Cybercriminal actors also quickly adopted it for illicit cryptocurrency mining campaigns. Security researchers from the firm S-RM have now documented its use in a ransomware attack that occurred on December 5th. In this incident, a threat actor successfully deployed the Weaxor ransomware strain after breaching a network through this vulnerability.

The Weaxor ransomware emerged in late 2024 and is widely considered a rebrand of the older Mallox or FARGO operation, also known as ‘TargetCompany’. This group historically focused on compromising Microsoft SQL servers. Similar to its predecessor, Weaxor represents a less sophisticated operation that conducts opportunistic attacks against public-facing servers, typically demanding relatively modest ransom payments. The operation does not employ a data leak site for double extortion tactics, and investigators have found no signs that data is exfiltrated prior to the encryption process.

According to the S-RM analysis, the attackers deployed the ransomware encryptor very soon after gaining initial access via React2Shell. This rapid sequence suggests a potentially automated attack, though the researchers noted they found no definitive evidence within the compromised system to confirm full automation. Immediately following the breach, the hackers executed a heavily obfuscated PowerShell command. This script deployed a Cobalt Strike beacon to establish command and control communication with the attackers’ servers.

The subsequent steps were executed swiftly. The threat actor proceeded to disable real-time protection in Windows Defender and then launched the final ransomware payload. The entire process, from initial network access to complete file encryption, took less than one minute. The attack appears to have been contained to the single endpoint that was vulnerable to React2Shell, as the researchers observed no attempts to move laterally across the network.

After encryption, all affected files were appended with the ‘.WEAX’ extension. Each compromised directory also contained a ransom note titled ‘RECOVERY INFORMATION.txt’, which provided instructions for payment. The Weaxor ransomware also performed several actions to hinder recovery and investigation, including wiping volume shadow copies to prevent file restoration and clearing system event logs to obscure forensic evidence.

Notably, the same compromised host was later breached by other attackers using different payloads, highlighting the intense malicious activity surrounding this vulnerability. S-RM advises that simply applying security patches is insufficient. System administrators must proactively review Windows event logs and endpoint detection telemetry for signs of exploitation. Key indicators include process creation from binaries related to Node or React, particularly the spawning of cmd.exe or powershell.exe from node.exe. Other red flags warranting investigation are unusual outbound network connections, the disabling of security software, systematic log clearing, and unexpected spikes in system resource usage.

(Source: Bleeping Computer)