• Researchers say threat actors wielded the sophisticated - and unfortunately named - toolkit to target high-value networks for React2Shell exploitation • Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts • “Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system,” Trellix researcher Aswath A said in a technical report published last week • “Furthermore, the malware exhibits worm-like capabilities, spreading across external storage devices, enabling lateral movement even in air-gapped environments • " The entry point of the attack is the use of social engineering decoys, advertising free premium software in the form of pirated software bundles, such as installers for office productivity suites, to trick unsuspecting users into downloading malware-laced executables • The binary acts as the central nervous system of the infection, serving different roles as an installer, watchdog, payload manager, and

Article Summaries:

  • Researchers report that a sophisticated threat‑actor group is using a newly identified toolkit, “ILovePoop,” to scan tens of millions of IP addresses for the high‑severity React2Shell (CVE‑2025‑55182) remote‑code‑execution flaw. The group appears to target high‑value sectors-government, defense, finance, and industry-particularly in the United States. Initial attacks were automated, deploying generic payloads, but recent activity shows more targeted, post‑exploitation tactics, including resilient command‑and‑control via BitTorrent DHT. The vulnerability, disclosed in December 2025, remains widely exposed, and the attackers’ use of ILovePoop suggests possible state‑sponsored espionage.
  • Cybersecurity researchers have identified a new cryptojacking campaign that uses pirated software bundles as social‑engineering lures to deploy a custom XMRig miner. The malware, a modular dropper, installs persistence modules, escalates privileges via a BYOVD driver (CVE‑2020‑14979), and can spread through external storage devices, even in air‑gapped environments. It includes a time‑based logic bomb that stops the infection after December 23, 2025, likely to align with the expiration of command‑and‑control infrastructure or a shift in the crypto market. The campaign prioritizes maximum mining hashrate, destabilizing victim systems and enabling lateral movement.
  • Researchers say threat actors wielded the sophisticated - and unfortunately named - toolkit to target high-value networks for React2Shell exploitation.

Sources: