CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Weaxor Ransomware Exploits React2Shell Vulnerability in Targeted Attacks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Weaxor ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to a corporate network and deployed the ransomware within a minute. The attack involved disabling Windows Defender, deploying a Cobalt Strike beacon, and encrypting files with the '.WEAX' extension. The vulnerability, an insecure deserialization issue in React Server Components, has been exploited by various threat actors since its disclosure. The attack was limited to the vulnerable endpoint, with no lateral movement observed. The same host was later compromised by other attackers, indicating high malicious activity around React2Shell.

Timeline

  1. 17.12.2025 18:09 1 articles · 5h ago

    Weaxor Ransomware Exploits React2Shell in Targeted Attack

    On December 5, the Weaxor ransomware gang exploited the React2Shell vulnerability to gain initial access to a corporate network and deployed the ransomware within a minute. The attack involved disabling Windows Defender, deploying a Cobalt Strike beacon, and encrypting files with the '.WEAX' extension. The attack was limited to the vulnerable endpoint, with no lateral movement observed. The same host was later compromised by other attackers.

    Show sources
    Open in new tab

Information Snippets

  • React2Shell (CVE-2025-55182) is an insecure deserialization issue in React Server Components' Flight protocol, allowing remote code execution without authentication.

    First reported: 17.12.2025 18:09
    1 source, 1 article
    Show sources

  • Weaxor ransomware is a rebrand of the Mallox/FARGO operation, targeting public-facing servers with opportunistic attacks.

    First reported: 17.12.2025 18:09
    1 source, 1 article
    Show sources

  • The attack involved deploying a Cobalt Strike beacon, disabling Windows Defender, and encrypting files with the '.WEAX' extension.

    First reported: 17.12.2025 18:09
    1 source, 1 article
    Show sources

  • The attack was limited to the vulnerable endpoint, with no lateral movement observed.

    First reported: 17.12.2025 18:09
    1 source, 1 article
    Show sources

  • The same host was subsequently compromised by other attackers using different payloads.

    First reported: 17.12.2025 18:09
    1 source, 1 article
    Show sources

  • S-RM recommends reviewing Windows event logs and EDR telemetry for signs of React2Shell exploitation, such as process creation from Node or React binaries.

    First reported: 17.12.2025 18:09
    1 source, 1 article
    Show sources