In December 2025, the disclosure of CVE-2025-55812, widely known as React2Shell, triggered immediate mass exploitation across the internet. The vulnerability allows unauthenticated remote code execution in React Server Components — giving attackers direct control of exposed systems.
Within hours, nation-state actors, botnets, and cybercriminal groups were actively weaponizing it.
Trinity Cyber stopped thousands of React2Shell exploitation attempts in real-time across its Active Network Defense platform. Among them, two distinct attack clusters stood out, revealing how modern threat actors approach the same vulnerability in radically different ways.
Together, they offer a clear lesson: attackers don’t just exploit vulnerabilities — they adapt their payloads to defeat traditional security tools.
React is one of the most widely used JavaScript frameworks on the internet. React2Shell quickly became one of the most critical vulnerabilities of the year because:
Much like Log4Shell before it, React2Shell triggered a global race, with defenders rushing to patch while attackers rushed to compromise.
Over three months, Trinity Cyber analyzed thousands of real-world React2Shell payloads. Instead of treating them individually, analysts grouped attacks by behavior revealing two of the most interesting and opposite exploitation strategies.
Our technical brief provides a comprehensive analysis of both the Teapot and Little Dash clusters and details how Trinity Cyber’s Full Content InspectionTM (FCI) provides coverage for both.
The Teapot cluster was a classic Mirai botnet campaign — but with a twist.
Mirai operators rapidly adapted React2Shell into their automated exploitation engine, aggressively targeting systems across 12 Linux architectures, including ARM, MIPS, PowerPC, and x86.
What made this campaign unusual was its anti-research tactics.
When analysts attempted to retrieve payloads with unfamiliar user agents, servers responded with HTTP 418 (“I’m a teapot”), a rarely used response code designed to block researchers from further analysis. Only requests mimicking real Mirai binaries successfully retrieved the malware.
Once executed, payloads:
This was Mirai doing what it does best: fast, automated, and ruthlessly efficient.
In contrast, Little Dash appeared only 45 times across three days — but showed significantly higher sophistication.
These payloads included:
Once decrypted, the attack chain:
The design strongly suggests preparation for long-term access — and possibly self-propagating exploitation.
Where Teapot relied on speed and scale, Little Dash relied on stealth and evasion.
Despite their differences, both clusters shared one critical dependency:
The malicious payload had to reach the target system.
Traditional security tools rely heavily on:
When payloads are encrypted, obfuscated, or novel, those controls often fail.
Trinity Cyber’s FCI inspects live network traffic before execution — regardless of encryption, payload size, or evasion technique.
Instead of alerting after compromise, FCI:
That’s why Trinity Cyber prevented both high-volume Mirai exploitation and stealthy precision attacks without blocking workflows or generating alert fatigue.
React2Shell illustrates how modern exploitation unfolds:
If defenders can’t see the full content of network traffic, they can’t stop modern attacks.
Want to see how Trinity Cyber defeats threats like React2Shell before they reach your environment? Schedule a live demo today.