react

EvilBit Threat Digest - This Week in Security: React Like You Mean It

React2Shell RCE slams Next.js as threat actors pivot to BYOVD ransomware, eBPF rootkits, Teams scams, VS Code trojans, and OT bruteforce attacks.

KryptoKat UncleSp1d3r

KryptoKat, UncleSp1d3r

5 min read

KryptoKat: Well, that was a week. If you’re a developer working with React or Next.js, I hope you got your patching done early. If not, you may want to check your cloud bills for any unexpected cryptomining charges. For everyone else, it was the usual mix of sophisticated malware campaigns, creative social engineering, and sobering reminders that operational technology is still very much in the crosshairs.

UncleSp1d3r: And don't forget vulnerable drivers. Nothing says "good morning" like finding out a legitimate, signed driver from a decade ago is being used to turn off your EDR. Pour yourself something strong; let's get into it.

React2Shell: A Critical RCE Tears Through Next.js

UncleSp1d3r: Let's rip this Band-Aid off first. If you're running a Next.js application, you need to stop what you're doing and verify you've patched for CVE-2025-55182, also known as "React2Shell." This is a critical, unauthenticated remote code execution vulnerability in React Server Components, and it's being hammered in the wild. CISA has already added it to their KEV catalog, which is your official cue to panic--respectfully, of course.

The exploitation is widespread and varied. We've seen multiple threat actors jumping on this bug with different objectives. Huntress Labs reported on the PeerBlight Linux backdoor, a nasty implant that gives attackers a persistent foothold. Elsewhere, researchers observed DPRK-linked actors using the vulnerability to deploy EtherRAT, a backdoor that uses the Ethereum blockchain for a decentralized, hard-to-disrupt C2 infrastructure. As if that weren't enough, AWS noted that China-nexus groups are also in the mix, using their access for cryptomining and credential theft. This is an all-hands-on-deck situation for anyone with an exposed Next.js instance. Patch, hunt for IOCs, and rebuild any compromised hosts.

Malware Roundup: From BYOVD to eBPF Rootkits

UncleSp1d3r: While everyone was scrambling to patch their web apps, the malware authors were busy finding other ways in. Cisco Talos published a fantastic deep dive on a new DeadLock ransomware campaign that uses a "Bring Your Own Vulnerable Driver" (BYOVD) technique. The operators are using a loader to exploit CVE-2024-51324, a flaw in an old, signed Baidu Antivirus driver (BdApiUtil.sys). This lets them get kernel-level privileges to terminate EDR and AV processes before kicking off a UAC-bypassing PowerShell script to delete shadow copies and deploy the ransomware. It’s a clean, multi-stage attack that underscores why controlling which drivers can be loaded on your endpoints is so critical.

KryptoKat: On the espionage front, FortiGuard Labs attributed a new campaign to the Iranian APT group MuddyWater. This one uses a classic macro-laced document to drop a backdoor called UDPGangster. As the name implies, its command and control is UDP-based, running over port 1269 in this case. It’s a good reminder to be suspicious of non-standard UDP egress and to keep those macro policies locked down.

UncleSp1d3r: The award for most interesting tradecraft this week might go to the operators behind Symbiote and BPFdoor. Fortinet researchers analyzed new samples and found them using eBPF filters for stealthy C2. The malware attaches a Berkeley Packet Filter to a raw socket that acts like a kernel-level firewall, ensuring only packets with the attacker's specific "magic" values (e.g., a specific source port or TCP sequence number) get processed. All other traffic is ignored. This makes the backdoor nearly invisible to network monitoring tools running on the host. Detecting this requires looking for suspicious eBPF program loads at the kernel level--not your typical SOC alert.

Social Engineering: It's Coming from Inside the Teams Call!

KryptoKat: This week saw a surge in attacks that abuse trusted enterprise platforms. Multiple sources are reporting on a clever vishing campaign that starts with a simple Microsoft Teams call. The attacker impersonates IT support, convinces the target to initiate a Microsoft QuickAssist session, and then abuses that remote access to run a series of obfuscated PowerShell commands. The final payload is a fileless .NET malware that executes in memory to steal credentials and establish persistence. It's a textbook example of bypassing technical controls by going straight after the human. The best defense here is procedural: verify all inbound IT support requests out-of-band and treat any request to grant remote access with extreme suspicion.

This wasn't the only abuse of Microsoft's collaboration tool. ReliaQuest detailed a separate campaign by a Chinese APT group they call "Silver Fox" that uses SEO poisoning to serve up fake Microsoft Teams installers. Victims searching for the Teams client are directed to a malicious site, and the downloaded installer is actually a loader for the ValleyRAT backdoor. Both campaigns prey on the trust users have in the Teams brand. One goes through the front door with a phone call, the other leaves a malicious package on the doorstep.

Supply Chain Woes: Malice in the VS Code Marketplace

UncleSp1d3r: If you're a developer, check your Visual Studio Code extensions. Researchers at ReversingLabs found two popular extensions, "Codeium" and "Windsurf," that were typosquatting legitimate tools and had been modified to deliver a Rust-based trojan. The loader was cleverly hidden inside a fake PNG file bundled with the extension's JavaScript. Once activated, it establishes persistence via scheduled tasks and PowerShell, then begins exfiltrating data from the developer's machine. Compromising developer tools is hitting the jackpot for attackers--it’s a direct path to source code, credentials, and internal systems. Time to audit what you and your teams have installed.

Critical Infrastructure in the Crosshairs

KryptoKat: We got two stark reminders this week that operational technology (OT) and critical infrastructure are prime targets. First, the U.S. Department of Justice announced the arrest of a Ukrainian national for allegedly providing support to the pro-Russian hacktivist groups NoName057(16) and CyberArmyofRussia_Reborn. The indictment alleges these groups were responsible for attacks that had physical consequences, including intrusions at U.S. water utilities and a food processing plant. In conjunction, CISA and other agencies released a joint advisory urging OT operators to harden their defenses against these groups.

Second, a Forescout research report based on honeypot data shows exactly how these attacks often happen. Their analysis found that industrial routers at the OT perimeter are under constant attack, with 72% of intrusions coming from simple SSH/Telnet brute-force attacks against default credentials. The attackers aren't using zero-days; they're walking in through unlocked doors. It’s a powerful reminder that basic security hygiene--changing default passwords, segmenting networks, and restricting internet access to OT devices--is non-negotiable.

Closing Thoughts

UncleSp1d3r: It's easy to get distracted by the shiny new eBPF rootkits and blockchain C2 channels. And don't get me wrong, that stuff is fascinating. But then you see reports showing that the bulk of OT breaches come from admin:admin over Telnet, or that a massive ransomware campaign is enabled by a nine-year-old privilege escalation bug. We can't lose sight of the fundamentals. Patch your systems, turn off services you don't need, and for the love of all that is holy, change the default passwords.

KryptoKat: Stay safe out there.

New Nessus Plugin Releases (2025-12-11 & 2025-12-13)

A selection of new vulnerability detection plugins released by Tenable this week. For a full list, see the Tenable updates page.

Read more