PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
Essential information
- Published
- 10/12/2025 14:34
- Modified
- 21/12/2025 18:57
- Tags
- 2025-12-10 CVE-2025-55182 bittorrent dht cowtunnel kaiji linux backdoor peerblight post-exploitation react2shell zinfoq
- Related entities
- 3 vulnerabilities (cve), 36 observables, 20 techniques (mitre), 4 malware, 7 others
Description
A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. PeerBlight uses the BitTorrent DHT network as a fallback C2 mechanism. CowTunnel initiates outbound connections to attacker-controlled FRP servers. ZinFoq implements interactive shells, SOCKS5 proxying, and timestomping capabilities. A Kaiji botnet variant is also being distributed. The exploitation attempts target multiple industries and use automated tools. Immediate patching is recommended due to the ease of exploitation.