A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deployed the file-encrypting malware less than a minute later.
React2Shell is an insecure deserialization issue in the React Server Components (RSC) 'Flight' protocol used by the React library and the Next.js framework. It can be exploited remotely without authentication to execute JavaScript code in the server's context.
Within hours of its disclosure, nation-state hackers started to exploit it in cyberespionage operations or to deploy new EtherRAT malware. Cybercriminals were also quick to leverage it in cryptocurrency mining attacks.
However, researchers at corporate intelligence and cybersecurity company S-RM observed React2Shell being used in an attack on December 5 by a threat actor that deployed the Weaxor ransomware strain.
Weaxor ransomware attack
Weaxor ransomware appeared in late 2024 and is believed to be a rebrand of the Mallox/FARGO operation (also known as 'TargetCompany') that focused on compromising MS-SQL servers.
Like Mallox, Weaxor is a less sophisticated operation that targets public-facing servers with opportunistic attacks demanding relatively low ransoms.
The operation does not have a data leak portal for double extortion, and there’s no indication that it performs data exfiltration before the encryption phase.
S-RM researchers say that the threat actor deployed the encryptor shortly after gaining initial access through React2Shell. While this suggests an automated attack, the researchers did not find any evidence in the compromised environment to support the theory.
Immediately after the breach, the hackers executed an obfuscated PowerShell command that deployed a Cobalt Strike beacon for command and control (C2) communication.
... continue reading