Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Weaxor ransomware deployment after React2Shell access

Malware Activity
First reported
Last updated
Happening score
H score 52
1 unique sources, 1 articles

Summary

Hide ▲

Weaxor ransomware was deployed after a React2Shell foothold, encrypting a compromised endpoint and increasing the risk of operational disruption and recovery delays. The malware marked files with the .WEAX extension and dropped RECOVERY INFORMATION.txt ransom notes. The activity also included Windows Defender tampering, Cobalt Strike use, and event-log clearing in a December 5 attack.

Related Happenings

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

How related: Within hours of its disclosure, nation-state hackers started to exploit it in cyberespionage operations or to deploy new EtherRAT malware.

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Open Happening

Reynolds ransomware BYOVD defense-evasion activity

Malware Activity
First: 10.02.2026 16:36 Last: 10.02.2026 16:36 Sources 1

About this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...

Open Happening

Sicarii ransomware per-execution RSA key generation breaks decryption

Malware Activity
First: 28.01.2026 00:15 Last: 28.01.2026 00:15 Sources 1

About this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...

Open Happening

CyberVolk VolkLocker RaaS debut targeting Linux/VMware ESXi and Windows

Malware Activity
First: 13.12.2025 17:11 Last: 13.12.2025 17:11 Sources 1

About this happening: **CyberVolk** expanded its **VolkLocker** ransomware operation in **August 2025**, putting **Linux/VMware ESXi** and **Windows** environments at risk. The malware’s **Golang timer...

Open Happening

Timeline

  1. 17.12.2025 18:09 1 articles · 5mo ago

    React2Shell initial access and Cobalt Strike setup on corporate networks

    Exploitation Observed

    A ransomware gang exploited CVE-2025-55182 against React/Next.js-based systems to gain initial access to corporate networks, then executed obfuscated PowerShell to deploy a Cobalt Strike beacon for C2 communication and disabled Windows Defender real-time protection.

    Show sources
    Open in new tab
  2. 17.12.2025 18:09 1 articles · 5mo ago

    Weaxor encrypts files and erases recovery artifacts on the affected endpoint

    Victim Impact Update

    Shortly after initial access on the affected endpoint, Weaxor ransomware encrypted files with the '.WEAX' extension, dropped 'RECOVERY INFORMATION.txt' ransom notes in impacted directories, wiped volume shadow copies, and cleared event logs to hinder recovery and forensic analysis.

    Show sources
    Open in new tab
  3. 17.12.2025 18:09 2 articles · 5mo ago

    S-RM reports December 5 React2Shell ransomware activity

    Technical Analysis Update

    S-RM reported that React2Shell was used in an attack on December 5 against a React/Next.js-based target that deployed the Weaxor ransomware strain, and advised defenders to inspect Windows event logs and EDR telemetry for process creation from Node- or React-related binaries.

    Show sources
    Open in new tab