A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deployed the file-encrypting malware less than a minute later.

React2Shell is an insecure deserialization issue in the React Server Components (RSC) ‘Flight’ protocol used by the React library and the Next.js framework. It can be exploited remotely without authentication to execute  JavaScript code in the server’s context.

Within hours of its disclosure, nation-state hackers started to exploit it in cyberespionage operations or to deploy new EtherRAT malware. Cybercriminals were also quick to leverage it in cryptocurrency mining attacks.

However, researchers at corporate intelligence and cybersecurity company S-RM observed React2Shell being used in an attack on December 5 by a threat actor that deployed the Weaxor ransomware strain.

Weaxor ransomware attack

Weaxor ransomware appeared in late 2024 and is believed to be a rebrand of the Mallox/FARGO operation (also known as ‘TargetCompany’) that focused on compromising MS-SQL servers.

Like Mallox, Weaxor is a less sophisticated operation that targets public-facing servers with opportunistic attacks demanding relatively low ransoms.

The operation does not have a data leak portal for double extortion, and there’s no indication that it performs data exfiltration before the encryption phase.

S-RM researchers say that the threat actor deployed the encryptor shortly after gaining initial access through React2Shell. While this suggests an automated attack, the researchers did not find any evidence in the compromised environment to support the theory.

Immediately after the breach, the hackers executed an obfuscated PowerShell command that deployed a Cobalt Strike beacon for command and control (C2) communication.

In the next step, the attacker disabled real-time protection in Windows Defender and launched the ransomware payload. All this happened in less than a minute since the initial access stage.

According to the researchers, the attack was limited to the endpoint that was vulnerable to React2Shell, as they did not observe any lateral movement activity.

After encryption, the files had the ‘.WEAX’ extension, and every impacted directory had a ransom note file named ‘RECOVERY INFORMATION.txt’, which contained payment instructions from the attacker.

S-RM says that Weaxor also wiped volume shadow copies to prevent easy restoration and cleared event logs to make forensic analysis more difficult.

Notably, the researchers report that the same host was subsequently compromised by other attackers using different payloads, which is indicative of the level of malicious activity around React2Shell.

S-RM suggests that system administrators review Windows event logs and EDR telemetry for any evidence of process creation from binaries related to Node or React, as patching alone isn’t enough.

Process spawning of cmd.exe or powershell.exe from node.exe is a strong indicator of React2Shell exploitation Unusual outbound connections, disabled security solutions, log clearing, and resource spikes should also be thoroughly investigated.