Threat actors currently are leveraging a CVE vulnerability in ReactServer Components (RSC). As a consequence, shield React2Shell from serious attacks. Malicious actors have leveraged this security weakness to deploy cryptocurrency miners. They have managed to deploy many malware families that are new and not seen before, in multiple sectors. The size of the attack is incomprehensible, affecting more than 50 entities in all sectors from construction to the entertainment sector.
The exploit targets both PeerBlight and ZinFoq, two well-known malware families. These threats allow attackers to achieve persistence in breached environments, presenting devastating threats to companies around the world. Now, cybersecurity experts are sounding the alarm. They help coordinate the cybersecurity efforts of various sectors and encourage all users to quickly patch their software to defend the increasingly prevalent risk.
PeerBlight and ZinFoq Malware Overview
PeerBlight, a Linux backdoor, shows code overlaps with other malware families including RotaJakiro and Pink. It uses a systemd service to maintain persistence on infected machines. To prevent detection, it masks its presence as a variant of “ksoftirqd”. This diabolical ruse comes equipped with a self-updating feature, letting it level up its insidiousness on its own.
Beyond PeerBlight, ZinFoq is a real menace as well. This malware communicates with its command-and-control (C2) server and is able to parse incoming commands through the use of the “/bin/bash” shell. ZinFoq’s capabilities are not limited to these functions. It can enumerate directories, read and delete files, and download other payloads from provided URLs. As a multifunctional tool, the backdoor exfiltrates sensitive files and system information, giving cybercriminals another means to attack their targets.
ZinFoq is making the threat landscape more complex. It lets attackers create SOCKS5 proxies, through which they can tunnel and route traffic through machines they control. While creating these reverse pseudo terminal (PTY) shell connections, it is able to control access time and last modification time for files. This degree of control creates enormous obstacles for organizations focused on reducing the threat.
Geographic Impact of the Exploitation
The fallout from the React2Shell exploit goes far past the companies involved directly. Cybersecurity experts have tracked more than 99,200 infections of this malware within the U.S. alone. Germany, France, and India have recently made major announcements. The U.S., Asia, South America and the Middle East have joined the EU as some of the most impacted areas.
Advanced Huntress researchers have found more than 60 different nodes connected to the LOLlolLOL prefix. This prefix serves as a unique identifier for the botnet. This prefix greatly improves communications between the infected systems. It allows them to pass key information, such as their C2 configuration, under specific conditions. The magnitude of these intrusions highlights the perilous state that our cyber environment is in, and the critical need for organizations to improve their cybersecurity defenses.
Today, industries such as construction and entertainment have become ideal prey for threat actors. This has led to extreme exploitation in these fields. On December 8, 2025, researchers will be paying very close attention to what’s happening next. They point out that a number of conditions need to be met for an infected bot to actually communicate its C2 configuration with another bot.
Urgent Response Required
With threats like ransomware, DDoS, supply chain, and more learning and adapting each moment, cybersecurity professionals are teaching businesses they need to act now. Christiaan Beek, another leading technical expert in the field, described the situation as dire.
“This is a patch-now situation because exploitation is happening simultaneously across the entire threat landscape.” – Christiaan Beek
That tide ranges from high-volume, low-skill opportunistic by abuse through complex, multi-faceted campaigns conducted by nation-state actors. What’s concerning, Beek said, are the indicators that there’s a connection in this vulnerability exploitation to tools that were used by ransomware gangs in the past.
Huntress researchers have seen some common patterns all over many of the multiple endpoints that are part of these brute force attacks.
“Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling.” – Huntress researchers
The complex ecosystem we operate within today means that companies must be more vigilant and proactive than ever to stay a step ahead of adversaries. Cybercriminals are becoming increasingly adept at exploiting vulnerabilities, making it essential for businesses to stay informed about emerging threats and implement necessary patches promptly.