InfoSecBulletin Cybersecurity for mankind
A financially motivated ransomware gang exploited React2Shell vulnerability (CVE-2025-55182) to quickly access corporate networks and deploy malware less than a minute later.
React2Shell (CVE-2025-55182) is a maximum severity vulnerability in React Server Components (RSC) which was publicly disclosed on 3 December 2025. The vulnerability impacts the Flight Protocol, a core feature of the React web development library and the open-source framework Next.js, which is used to speed up web application rendering.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
Researchers at S-RM noted the use of React2Shell in an attack on December 5, where a threat actor deployed the Weaxor ransomware.
Weaxor ransomware attack:
Weaxor ransomware emerged in late 2024 and is thought to be a rebrand of the Mallox/FARGO operation, also known as ‘TargetCompany’, which targeted MS-SQL servers.
Weaxor, similar to Mallox, is a basic operation that attacks public servers with opportunistic demands for low ransoms.
S-RM researchers indicate that the threat actor used the encryptor soon after gaining access via React2Shell. This implies an automated attack, but there’s no evidence in the compromised environment to back this up.
Immediately after the breach, the hackers executed an obfuscated PowerShell command that deployed a Cobalt Strike beacon for command and control (C2) communication.
The attacker quickly disabled Windows Defender’s real-time protection and launched the ransomware, all within a minute of gaining access.
The researchers found that the attack was restricted to one vulnerable endpoint, with no signs of lateral movement.
After encryption, the files had the ‘.WEAX’ extension, and every impacted directory had a ransom note file named ‘RECOVERY INFORMATION.txt’, which contained payment instructions from the attacker.
S-RM reported that Weaxor deleted volume shadow copies to hinder restoration and erased event logs to complicate forensic analysis.
The researchers noted that the same host was also attacked by other hackers with different methods, highlighting the extent of malicious activity related to React2Shell.
S-RM recommends that system administrators check Windows event logs and EDR telemetry for signs of process creation from Node or React binaries, as patching by itself is insufficient.
Process spawning of cmd.exe or powershell.exe from node.exe is a strong indicator of React2Shell exploitation Unusual outbound connections, disabled security solutions, log clearing, and resource spikes should also be thoroughly investigated.
