Exposure management, Threat Management, Ransomware, Vulnerability Management, Patch/Configuration Management, Application security

React2Shell ransomware: Weaxor deployed on vulnerable server

The critical React2Shell unauthenticated remote code execution (RCE) vulnerability has been exploited to deploy Weaxor ransomware, S-RM reported Tuesday.

React2Shell, formally tracked as CVE-2025-55182, affects React Server Components versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0, and has been under heavy exploitation since it was first disclosed on Dec. 3, 2025.

Most attacks thus far have been attributed to nation-state threat actors deploying backdoors and financially-motivated attackers deploying cryptominers.

In a new development, S-RM reports that it responded to an incident in which the maximum-severity vulnerability (CVSS 10.0) was used to gain initial access in a ransomware attack. The intrusion reportedly took place on Dec. 5, 2025, and was confined to the vulnerable web server with no additional lateral movement.

The attacker initially exploited React2Shell — which has multiple public proof-of-concept exploits available — by running a PowerShell command that led to the establishment of a Cobalt Strike beacon for command-and-control (C2) communication.

Once a C2 connection was established, and within less than a minute after initial access, the attacker deployed the Weaxor ransomware binary, which encrypts files and appends them with the file extension “.weax.”


Related reading:


The Weaxor ransomware has been observed since late 2024, a strain that researchers believe runs as a rebrand of Mallox ransomware, which was first seen in 2021. Unlike Mallox, researchers don't think Weaxor operates as a ransomware-as-a-service (RaaS) offering and does not have a dedicated leak site; in the React2Shell attack, no evidence of data exfiltration was found.

The ransomware dropped a ransom note titled “RECOVERY INFORMATION.txt” in all affected directories. The attacker attempted to evade detection and cover their tracks by disabling real time protection in Windows Defender Antivirus prior to deploying the ransomware, deleting volume shadow copies and clearing event logs.



S-RM also noted that the same victim web server appeared to have been compromised again by separate threat actors sometime after the ransomware attack, demonstrating the widespread exploitation of servers vulnerable to React2Shell. Based on the speed of the ransomware infection, S-RM believes the attack was likely part of automated campaign.

S-RM urged organizations to ensure their systems are fully patched against React2Shell, noting that earlier patches for 19.0.2, 19.1.3 and 19.2.2 were incomplete.

Additionally, all organizations running React Server Components, including those who have already fully patched, should conduct a review of previously vulnerable servers to look for signs of compromise, such as unusual outbound connections, evidence of antivirus disabling or log clearing, unusual spikes in resource usage or specific indicators of compromise associated with React2Shell attacks, S-RM said.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds