React2Shell Sparks a New Wave of Server Intrusions as PeerBlight Backdoor Turns Linux Hosts into Covert Proxy Nodes

Listen to this Post

Featured Image

Introduction

A silent storm is moving through the web’s backend. A critical vulnerability inside React Server Components, now weaponized under the name React2Shell, has opened a dangerous door into infrastructures powered by Next.js and modern React stacks. What began as an obscure deserialization flaw has quickly escalated into a large-scale exploitation wave, allowing attackers to deploy a stealthy new Linux backdoor known as PeerBlight. This malware transforms compromised servers into hidden proxy relays and resilient command-and-control nodes, giving threat actors the type of distributed foothold that is difficult to detect and even harder to remove. The situation is evolving fast, and the targets appear to be growing by the day.

The Rise of React2Shell and the Deployment of PeerBlight: A Deep Dive into a Growing Threat

A New Exploit Emerges from React’s Backend

The React2Shell vulnerability, tracked as CVE-2025-55182, has become a focal point for attackers seeking easy remote code execution on Internet-facing Next.js and React deployments. It takes advantage of an insecure deserialization flaw in how React Server Components process React Flight “chunks,” creating an attack surface where a single crafted HTTP request can execute arbitrary JavaScript on the server.

The Technical Exploit Behind React2Shell

At its core, the bug lies in React’s handling of so-called “thenable” objects. By crafting a malicious chunk with a forged lifecycle state and a “then” handler that resolves to attacker-controlled constructor code, hackers can force the server to hydrate and execute arbitrary logic during server-side rendering. The react-server-dom package across several versions has been confirmed vulnerable, and real-world attacks are already in motion.

Evidence of Active Scanning

Researchers observing the attacks point out that exploitation attempts are often preceded by a specific User-Agent signature tied to a publicly available React2Shell scanner. Logs across multiple organizations show reconnaissance scans followed by malicious curl or wget one-liners pulling shell scripts and ELF payloads.

The Shift from Exploitation to Persistence

Once the vulnerability is successfully exploited, attackers waste no time deploying PeerBlight, a new Linux backdoor crafted for stealth, reliability, and flexible command execution. The malware transforms victim servers into proxy nodes while maintaining multiple layers of fallback communication to ensure the adversary retains access even if primary C2 servers are taken down.

PeerBlight’s Multi-Layered C2 Infrastructure

PeerBlight starts by attempting to connect to a hardcoded C2 endpoint at 185.247.224[.]41:8443, where it negotiates AES-256 session keys using RSA-based handshakes. It then transmits JSON beacons containing OS details, architecture, and campaign tags.
If the main server is offline, it dynamically generates up to 200 alternative domain:port pairs using a DGA system. As a last-ditch fallback, the malware taps into the BitTorrent DHT network using a distinctive node ID prefix, “LOLlolLOL,” allowing it to retrieve new C2 details in a fully decentralized manner.

A Backdoor That Hides in Plain Sight

On the infected host, PeerBlight settles in by copying itself to /bin/systemd-daemon, registering as systemd-agent, and masquerading as a kernel thread. It overwrites its argv values and process names to appear as [ksoftirqd], making it blend into system process lists. The malware supports at least ten distinct task types, including file operations, remote shell execution, permission changes, and in-memory implant upgrades.

A Proxy Infrastructure in the Making

By design, every compromised host becomes part of a covert proxy layer. Through JSON-based tasking and decentralized C2 mechanisms, operators can execute lateral movement, stage additional payloads, or reroute their traffic through infected nodes. The campaign deploying PeerBlight has also pushed CowTunnel, a reverse-proxy tool based on xfrpc; ZinFoq, a Go post-exploitation implant with SOCKS5 pivoting; XMRig-based cryptominers; and even Kaiji botnet variants.

The Expanding Threat Landscape

Organizations running vulnerable React Server Components or unpatched Next.js stacks face a high risk of compromise. The attack vector is trivial, and scanning is widespread. Security teams are urged to apply patches immediately, monitor for PeerBlight binaries, investigate systemd-agent artifacts, look for unusual DHT node activity with the “LOLlolLOL” prefix, and block outbound traffic to known C2 endpoints.

What Undercode Say:

A Vulnerability That Should Not Have Been This Easy

From an engineering perspective, the flaw inside React Server Components underscores a recurring pattern: modern frameworks increasingly assume trusted inputs and predictable data structures. When serialization frameworks meet untrusted networks, the consequences are severe, and React2Shell proves that even high-level abstractions can become dangerous when core assumptions break.

Why React2Shell Became So Attractive to Attackers

The exploit chain requires no authentication, no complex timing, and no special privileges. Just one crafted HTTP request can drop a shell. That simplicity, paired with widespread adoption of Next.js for production workloads, makes the vulnerability irresistible to attackers seeking automation and scale.

PeerBlight’s Design Shows a Shift Toward Resilient Malware

PeerBlight’s combination of C2 layers illustrates how threat actors are preparing for takedowns. Hardcoded server, DGA fallback, and DHT peer discovery form a resilient chain that survives outages, law-enforcement actions, or DNS sinkholing. Malware that survives infrastructure disruption is no longer rare—it is the new standard.

A Sign That Proxy-Centric Botnets Are the New Gold Rush

The operators behind this campaign are clearly building a distributed proxy network. Proxy access is a hot commodity in cybercrime markets because it offers anonymity, obfuscation, and persistence for further operations. Hosting providers and cloud companies should expect growing interest in turning server workloads into covert relay networks.

The Real Danger Lies in Visibility Gaps

PeerBlight’s process masquerading as [ksoftirqd] blends seamlessly into Linux environments where administrators often rely on quick visual inspection to detect anomalies. For teams without deep EDR coverage, this malware can sit unnoticed for months, quietly funneling traffic or running lateral-movement tasks.

Why This Campaign Feels Like a Testing Ground

The simultaneous deployment of multiple post-exploitation tools—CowTunnel, ZinFoq, DDoS-enabled Kaiji forks—suggests the attackers are experimenting. They may be validating how different implants perform at scale, anticipating larger or more coordinated operations in the future.

Security Teams Must Assume Compromise Until Proven Otherwise

Given the trivial nature of the exploit, security teams should treat any Internet-exposed Next.js or React Server Components deployment as potentially compromised if it remained unpatched during the initial exploitation window. Retroactive forensics, network flow analysis, and endpoint integrity checks should be prioritized.

A Reminder: Supply Chain Risk Isn’t Just Libraries

Even mainstream frameworks can harbor vulnerabilities that lead to mass exploitation. The convenience of modern web stacks should not obscure the need for security audits, dependency scanning, and staged deployments. React2Shell is a wake-up call for organizations relying heavily on server-side frameworks without internal security review capacities.

🔍 Fact Checker Results

React2Shell is confirmed as an actively exploited RCE vulnerability. ✅

PeerBlight’s multi-layered C2 and DHT fallback mechanisms have been verified in malware samples. ✅

Public scanning tools for React2Shell are indeed being used in live attacks. ❌ (Some scans originate from custom scripts)

📊 Prediction

Attackers will expand PeerBlight’s proxy mesh as patched servers shrink their available targets. 🌐
Organizations that delay updating React Server Components will face higher risks of follow-on payloads, including ransomware. ⚠️
DHT-based C2 frameworks may become a major trend in future botnets due to their resilience. 🔮

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon