React2Shell Side Quest: Tracking Down Malicious MeshCentral Nodes

A campaign using React2Shell RCE exploits (CVE-2025-55182 and CVE-2025-66478) was observed downloading and installing MeshCentral RMM agents from a recently-registered domain (aupporte.com) to achieve persistent, remote control. The report analyzes the malicious command and meshinstall.sh installer (including SHA256), enumerates hosting and geolocation inconsistencies, lists dozens of observed MeshCentral-related IPs, and offers detection and mitigation guidance such as baselining RMM usage, monitoring agent install behaviors, and implementing application allowlisting.