React2Shell exploits a critical vulnerability (CVE-2025-55182) in React Server Components (RSC), allowing unauthenticated remote code execution on vulnerable Next.js instances. Threat actors leverage this flaw to deploy cryptocurrency miners (notably XMRig) and a suite of previously undocumented malware families targeting Linux and Windows systems. Key malware includes PeerBlight, a Linux backdoor with persistence via systemd and masquerading as legitimate processes; CowTunnel, a reverse proxy tunnel bypassing firewall restrictions by initiating outbound connections to attacker-controlled Fast Reverse Proxy servers; and ZinFoq, a Go-based post-exploitation implant with capabilities such as interactive shell access, file operations, network pivoting, and timestomping. Additional payloads include dropper scripts deploying the Sliver C2 framework and variants of Kaiji DDoS malware with remote administration features. PeerBlight uses a domain generation algorithm and BitTorrent Distributed Hash Table (DHT) network for resilient command and control, registering with a unique node ID prefix to identify infected nodes and reduce detection noise. Attackers employ automated scanning tools from public repositories to identify vulnerable Next.js instances, indiscriminately targeting both Linux and Windows endpoints, indicating a lack of OS-specific targeting in their exploitation tooling. The exploitation has been observed across multiple sectors, with a notable focus on construction and entertainment industries. Shadowserver Foundation data reveals over 165,000 vulnerable IP addresses and 644,000 domains globally, with significant concentrations in the U.S., Germany, and France. The malware’s advanced persistence, evasion, and network pivoting capabilities pose significant risks for lateral movement and data exfiltration. Organizations using react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are urged to apply patches immediately to prevent exploitation.

European organizations face substantial risks from React2Shell exploitation due to the widespread use of Next.js and React Server Components in web applications across various industries, including construction and entertainment. The deployment of cryptocurrency miners can degrade system performance and increase operational costs. More critically, the installation of sophisticated backdoors like PeerBlight and post-exploitation tools such as ZinFoq enables persistent unauthorized access, data theft, lateral movement, and potential sabotage. The use of reverse proxy tunnels like CowTunnel facilitates stealthy command and control communications, bypassing traditional firewall defenses. The malware’s ability to masquerade as legitimate system processes and clear logs complicates detection and incident response. Given the automation of attacks and the broad scope of vulnerable instances, European organizations could experience widespread compromise, impacting confidentiality, integrity, and availability of critical systems. The presence of over 14,000 vulnerable IPs in Germany and 6,400 in France highlights a significant regional exposure. Disruption in sectors like construction and entertainment could have cascading economic effects, while persistent infections may serve as footholds for further attacks targeting sensitive data or infrastructure.

European organizations should immediately identify and patch all instances of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to remediate CVE-2025-55182. Employ network segmentation to isolate vulnerable web servers and limit lateral movement. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with PeerBlight, CowTunnel, and ZinFoq, such as unusual systemd service creation, reverse proxy connections, and timestomping activities. Monitor network traffic for outbound connections to known C2 IPs and domain generation algorithm patterns, including BitTorrent DHT communications. Implement strict egress filtering to block unauthorized outbound connections, particularly to uncommon ports like 8443. Conduct regular threat hunting exercises focusing on indicators of compromise related to this malware family. Disable or restrict use of publicly available scanning tools within the network to reduce reconnaissance opportunities. Enhance logging and monitoring to detect masquerading processes and suspicious shell activity. Finally, educate development teams on secure coding practices and the risks of exposing RSC components without proper authentication controls.