PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

Dec. 21, 2025, 6:57 p.m.

Description

A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. PeerBlight uses the BitTorrent DHT network as a fallback C2 mechanism. CowTunnel initiates outbound connections to attacker-controlled FRP servers. ZinFoq implements interactive shells, SOCKS5 proxying, and timestomping capabilities. A Kaiji botnet variant is also being distributed. The exploitation attempts target multiple industries and use automated tools. Immediate patching is recommended due to the ease of exploitation.

External References

https://otx.alienvault.com/pulse/69398505e9eef97b07197db2
https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell
Tags
post-exploitation
linux backdoor
CVE-2025-55182
react2shell
2025-12-10
bittorrent dht
cowtunnel
kaiji
peerblight
zinfoq

Date

  • Created: Dec. 10, 2025, 2:34 p.m.
  • Published: Dec. 10, 2025, 2:34 p.m.
  • Modified: Dec. 21, 2025, 6:57 p.m.

Indicators

  • 65d840b059e01f273d0a169562b3b368051cfb003e301cc2e4f6a7d1907c224a
  • 2cd41569e8698403340412936b653200005c59f2ff3d39d203f433adb2687e7f
  • 0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce
  • 3854862bb3ee623f95d91fa15b504e2bbc30e23f1a15ad7b18aedb127998c79c
  • a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d
  • 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273
  • 39.97.229.220
  • 103.135.101.15
  • 49.51.230.175
  • 31.56.27.97
  • 45.76.155.14
  • 185.247.224.41
  • 45.32.158.54
  • 207.148.79.178
  • 23.226.71.209
  • 23.226.71.197
  • 38.165.44.205
  • 23.226.71.200
  • 216.158.232.43
  • http://vps-zap812595-1.zap-srv.com:3000/sex.sh
  • http://207.148.79.178:6608/sys.sh
  • http://38.165.44.205/1
  • https://api.qtss.cc:443/en/about?source=redhat&id=v1.2
  • http://keep.camdvr.org:8000/d5.sh
  • http://185.247.224.41:8443
  • http://45.32.158.54/5e51aff54626ef7f/x86_64
  • http://103.135.101.15/wocaosinm.sh
  • http://38.165.44.205/k
  • http://39.97.229.220:8006/httd
  • http://45.76.155.14/vim
  • https://api.qtss.cc:443/en/about?source=redhat&id=v1.1
  • http://keep.camdvr.org:8000/BREAKABLE_PARABLE5
  • http://31.56.27.97/scripts/4thepool_miner.sh
  • http://49.51.230.175:9898
  • http://216.158.232.43:12000/sex.sh
  • https://api.qtss.cc:443/en/about?source=redhat&id=v1.0
Download all indicators here!

Attack Patterns

  • Kaiji
  • ZinFoq
  • CowTunnel
  • PeerBlight

Additional Informations

  • Construction
  • Culture and entertainment
  • keep.camdvr.org
  • vps-zap812595-1.zap-srv.com
  • help.093214.xyz
  • api.qtss.cc
  • United States of America

Linked vulnerabilities

CVE-2025-30406

None
    Gladinet
  • Centrestack
Published: April 3, 2025

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025

CVE-2025-66478

None
    *
Published: December 3, 2025