By rssfeeds-admin 
Attackers are exploiting the flaw to execute arbitrary code on vulnerable Next.js and React deployments via a single crafted HTTP request, enabling follow‑on malware delivery, cryptomining, and persistence across Linux infrastructure.
React2Shell was exploited in the wild.
The React2Shell bug stems from an insecure deserialization issue in how React Server Components process React Flight “chunks,” allowing an unauthenticated attacker to inject malicious logic via a specially crafted “thenable” object.
By forging a chunk with a fake lifecycle state and a “then” method that resolves to attacker‑controlled constructor code, the exploit forces the server to hydrate a blob value that executes arbitrary JavaScript during server‑side rendering.
The flaw affects several versions of the react‑server‑dom package, and exploitation has been observed against internet‑exposed Next.js apps, where attackers run simple curl or wget one‑liners to pull shell scripts and ELF payloads.
Security researchers report active scanning with a publicly available React2Shell scanner, with its default User‑Agent appearing in logs before exploitation attempts.
PeerBlight turns Linux into a proxy infrastructure.
Post‑exploitation activity includes deploying PeerBlight, a full‑featured Linux backdoor that uses a multi‑layered C2 design to maintain control even if the primary infrastructure is taken down.
The malware first connects to a hardcoded C2 at 185.247.224[.]41:8443, negotiates AES‑256 session keys via RSA‑encrypted handshakes, and then sends JSON beacons describing the architecture, OS, and a campaign group identifier.
If that fails, it falls back to a domain generation algorithm that produces up to 200 domain: port pairs, and, as a last resort, abuses the BitTorrent DHT network using a distinctive node ID prefix “LOLlolLOL” to discover updated C2 configuration distributed peer‑to‑peer.
On the host, PeerBlight focuses on stealth and persistence, copying itself to /bin/systemd‑daemon and registering as systemd‑agent.
Service on systems with systemd, or dropping an Upstart job on legacy distributions. It overwrites argv and process names to masquerade as a kernel [ksoftirqd] thread, hiding in plain sight in process listings while maintaining long‑term access.
Once established, the backdoor supports at least 10 task types via JSON‑based commands, including file uploads and downloads, reverse-shell spawning, permission changes, on‑box execution of arbitrary binaries, and in‑memory upgrades of the implant.
This command set, combined with its DGA- and DHT-based C2, effectively turns each infected Linux host into a resilient proxy node that operators can use for further intrusion, lateral movement, and the staging of additional malware.
The same React2Shell campaign has also been observed deploying a reverse‑proxy tool called CowTunnel based on xfrpc, a Go post‑exploitation implant named ZinFoq with SOCKS5 pivoting and timestomping, cryptominer scripts that pull XMRig, and a Kaiji botnet variant that leverages DDoS and watchdog abuse for persistence.
Organizations running vulnerable React Server Components or Next.js stacks are urged to apply the patched versions immediately and monitor for indicators of PeerBlight binaries, its systemd‑agent persistence files, LOLlolLOL DHT nodes, and outbound traffic to known C2 endpoints.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post React2Shell Flaw Abused as PeerBlight Malware Turns Linux Hosts into Covert Proxy Nodes appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.