Weaxor is the direct successor to the Mallox (TargetCompany/FARGO) ransomware operation. This rebranding represents a shift in TTPs, moving away from opportunistic MSSQL brute-forcing toward the rapid exploitation of web application vulnerabilities.

The group has been identified as the primary actor behind the weaponization of the React2Shell vulnerability, achieving an average “Time-to-Ransom” of under 60 minutes.

Technical Analysis: The React2Shell Campaign

Weaxor operators are actively scanning for and exploiting CVE-2025-55182, a critical Remote Code Execution (RCE) flaw in React Server Components.

1. Infection Chain

1. Initial Access: Sending a malicious HTTP request to a vulnerable React/Next.js endpoint triggers arbitrary code execution.
2. C2 Establishment: Immediately executes a PowerShell command to download and spawn a Cobalt Strike Beacon.
3. Lateral Movement: Uses the beacon to deploy the Weaxor binary (.exe) directly into memory or to the %TEMP% directory.

2. Defense Evasion & Persistence

• AMSI Bypass: Patches the Antimalware Scan Interface (AMSI) in memory to blind PowerShell script logging.
• Service Termination: Attempts to kill specific EDR processes and standard SQL services to unlock database files for encryption.
• Shadow Copies: Executes vssadmin.exe delete shadows /all /quiet to remove local backups.
• Registry Modification:
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Defender -> Set DisableAntiSpyware to 1.

3. Encryption Details

• Extension: Appends .weax to all encrypted files.
• Ransom Note: RECOVERY INFORMATION.txt contains specific instructions for contacting the group via a Tor portal.
• Targeted Extensions: Prioritizes .mdf, .ldf, .bak (SQL Database files) and .vhd/.vhdx (Virtual Hard Disks).

Indicators of Compromise (IOCs)

File Artifacts

• Extension: .weax
• Ransom Note: RECOVERY INFORMATION.txt
• Binaries: net.exe (often renamed Weaxor payload), upd.exe.

Network Indicators

• C2 Traffic: Outbound HTTPS traffic to Cobalt Strike Team Servers (often on ports 443, 8080, or 8443) immediately following an HTTP 500/200 error on a React endpoint.