Untangling a Linux Incident With an OpenAI Twist (Part 2)

Huntress SOC investigated a mid-compromise Linux host where multiple threat actors exploited the critical React2Shell vulnerability (CVE-2025-55182) in a Next.js/React application to drop cryptominers, a multi-revenue botnet (mining, proxy, bandwidth-selling), and a credential-harvesting infostealer that exfiltrated SSH keys, cloud credentials, API tokens and other sensitive files; attackers used at least eight persistence mechanisms and multiple C2/staging hosts, reinfecting the rebuilt host when the underlying vulnerability remained unpatched. The report enumerates IOCs (IPs, domains, file hashes, wallet, API keys), reconstructs attacker tradecraft, documents failed AI (Codex) remediation steps versus SOC response, and recommends live EDR telemetry, comprehensive cleanup, and patching.