Weaxor Ransomware Exploits React2Shell Vulnerability in Rapid Attacks A ransomware gang leveraged the critical React2Shell vulnerability (CVE-2025-55182) to breach corporate networks and deploy Weaxor ransomware in under a minute. The flaw, an insecure deserialization issue in React Server Components (RSC) and Next.js, allows unauthenticated remote code execution on vulnerable servers. First disclosed in late 2024, React2Shell quickly became a target for both nation-state hackers—deploying cyberespionage tools like EtherRAT—and cybercriminals, who used it for cryptocurrency mining. On December 5, researchers at S-RM observed the Weaxor ransomware operation exploiting the vulnerability in a real-world attack. Weaxor, a rebrand of the Mallox/FARGO ransomware (active since 2024), is a low-complexity operation targeting public-facing servers with opportunistic attacks. Unlike more advanced ransomware groups, it does not exfiltrate data or use double-extortion tactics, instead demanding relatively modest ransoms. The attack unfolded rapidly: - Initial access via React2Shell was followed by an obfuscated PowerShell command deploying a Cobalt Strike beacon for command-and-control (C2). - The threat actor disabled Windows Defender’s real-time protection before executing the ransomware payload. - Encrypted files received the .WEAX extension, with ransom notes (RECOVERY INFORMATION.txt) left in affected directories. - The attackers wiped volume shadow copies and cleared event logs to hinder recovery and forensic analysis. Notably, the breach remained contained to the vulnerable endpoint, with no observed lateral movement. However, the same compromised host was later targeted by additional attackers, underscoring the high demand for React2Shell exploits. S-RM researchers recommend monitoring for suspicious process creation—particularly cmd.exe or PowerShell spawned from node.exe—as well as unusual outbound connections, disabled security tools, and log tampering. While patching is critical, defenders should also review EDR telemetry for signs of exploitation.

S-RM encountered a sophisticated ransomware attack initiated by the Akira group, involving the exploitation of IoT devices, specifically an insecure webcam, to bypass EDR tools and encrypt files on the network. This innovative tactic allowed the attackers to overcome security measures and establish persistent access through AnyDesk.exe and lateral movement via RDP. The incident required a response team to address the breach and implement new security strategies. The data exfiltration and encryption caused considerable disruption to the company's operations, likely affecting its finances and reputation due to the sophisticated nature of the attack.