A critical vulnerability in React Server Components, known as React2Shell and tracked as CVE-2025-55182, is being actively exploited to deploy a new Linux backdoor called PeerBlight. This malware turns compromised servers into covert proxy and command-and-control nodes. Attackers use a single crafted HTTP request to execute arbitrary code on vulnerable Next.js and React applications.
The React2Shell vulnerability arises from an insecure deserialization issue in how React Server Components handle React Flight “chunks.” An unauthenticated attacker can inject malicious logic through a specially crafted “thenable” object, forcing the server to execute arbitrary JavaScript during server-side rendering. This flaw impacts several versions of the react-server-dom package and has been observed in attacks on internet-exposed Next.js applications, often initiated with simple curl or wget commands to fetch shell scripts and ELF payloads.
Security researchers have noted active scanning using a publicly available React2Shell scanner, identifiable by its default User-Agent in logs. Exploitation has occurred in the wild, enabling follow-on activities such as malware delivery, cryptomining, and persistence mechanisms.
Once inside, attackers deploy PeerBlight, a sophisticated Linux backdoor with a multi-layered command-and-control (C2) structure. It initially connects to a hardcoded C2 server at 185.247.224.41:8443, negotiating AES-256 session keys through RSA-encrypted handshakes. The malware sends JSON beacons detailing the host's architecture, operating system, and a campaign group identifier. If the primary C2 fails, it resorts to a domain generation algorithm (DGA) that creates up to 200 domain-port pairs, and ultimately leverages the BitTorrent DHT network with a distinctive node ID prefix “LOLlolLOL” for peer-to-peer C2 discovery.
For persistence and stealth, PeerBlight copies itself to /bin/systemd-daemon and registers as systemd-agent on systems using systemd, or drops an Upstart job on older distributions. It overwrites argv and process names to mimic a kernel [ksoftirqd] thread, evading detection in process lists.
The backdoor handles at least 10 JSON-based command types, including file uploads and downloads, reverse-shell spawning, permission modifications, arbitrary binary execution, and in-memory upgrades. This setup transforms infected hosts into resilient proxy nodes for further intrusions and lateral movement.
The same campaign has also introduced tools like CowTunnel (a reverse-proxy based on xfrpc), ZinFoq (a Go implant with SOCKS5 pivoting and timestomping), XMRig cryptominers, and a Kaiji botnet variant for DDoS and watchdog functions. Organizations using vulnerable React Server Components or Next.js are advised to apply patches immediately and monitor for PeerBlight indicators, such as its binaries, systemd-agent files, LOLlolLOL DHT nodes, and traffic to known C2 endpoints.
