Of course. Maybe not successfully but a "virus" is just software. If it runs software, it runs software, full stop. Maybe the same APIs are not available or behave differently, so it may be buggy or non-functional, but that's true of Half-Life here too.

WannaCry was able to successfully run on ReactOS in 2025. Most other virsuses do tend to crash, because the memory layout is just a tiny bit different, but yeah, compatibility means compatibility. Lots of malware comes along for the ride.

However, there is a permissions layer that is more nix than Windows, which means the first foothold is still better than XP - you have to choose to execute the file. Self-running things don't tend to infect systems.

Its not a panacea, and there is a risk factor. And there aren't a lot of antivirus systems that can run correctly under ReactOS, because they freak out and think the OS is the malware, because they're scanning hashes for Windows, not another system.

But for a hobby OS, keeping hardware and software accessible after the rest of the world broke access, it still works.

Some, but not all, most don't. Ideally they would all work, ReactOS doesn't make a priority on being a "safer" option, just an open source option

The payload yes, the exploit hopefully not.

Somewhere in the docs they state that they must also recreate whatever bugs the API has, otherwise applications written with those bugs as an (implicit) assumption could misbehave.

Yes

Maybe worry about Linux malware which is a major problem right now everyone is in huge denial about, instead of throwing shade at a hobby OS emulating a 25 year old version of Windows.

ReactOS isn't the one that just had one of its package repos owned (again).