React2Shell in the Wild: How Attackers Weaponize Botnets and Stealthy Attacks | Trinity Cyber

**Executive Summary:** In December 2025 the disclosure of CVE-2025-55812 (React2Shell) led to widespread active exploitation: Trinity Cyber observed a high-volume Mirai-style 'Teapot' campaign targeting 12 Linux architectures and a low-volume, high-sophistication 'Little Dash' cluster using multilayer obfuscation and AES encryption; both clusters demonstrate active in-the-wild exploitation, varied attacker goals (mass compromise vs. stealthy persistence), and the limitations of detection-only defenses—Trinity’s Full Content Inspection prevented these payloads from reaching endpoints.