Google Finds Five China-Nexus Groups Exploiting React2Shell Flaw
None
<p>At least five China-nexus threat groups are exploiting the <a href="https://securityboulevard.com/2025/12/exploitation-efforts-against-critical-react2shell-flaw-accelerate/" target="_blank" rel="noopener">high-profile React2Shell vulnerability</a> in cyberespionage and financially motivated attacks, according to threat researchers with Google.</p><p>The groups are among an expanding number of bad actors that have targeted the maximum-severity security flaw – tracked as <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-55182" target="_blank" rel="noopener">CVE-2025-55182 </a>– in React Server Components (RSC) due to broad use of RSC and associated frameworks, including Next.js, and the relatively easy exploitability of the vulnerability.</p><p>Researchers with Google Threat Intelligence Group (GTIC) said in a recent report that they, like other threat analysts, saw rapid and widespread exploitation attempts within hours of the unauthenticated remote code execution (RCE) vulnerability being disclosed December 3, with Amazon Web Services (AWS) pointing to <a href="https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/" target="_blank" rel="noopener">multiple Chinese-linked threat groups</a>, including like <a href="https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Earth%20Lamia" target="_blank" rel="noopener">Earth Lamia</a> and <a href="https://www.crowdstrike.com/adversaries/jackpot-panda/" target="_blank" rel="noopener">Jackpot Panda</a>, among them.</p><p>In their <a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/" target="_blank" rel="noopener">report</a>, GTIG researchers focused on groups linked to the People’s Republic of China (PRC) and their efforts to compromise targeted networks around the world.</p><h3>The China Five</h3><p>One group, which GTIG tracks as UNC6600, is exploiting React2Shell to deliver Minocat, its custom Linux tunneler. Such malware uses techniques to hide its malicious traffic among normal network communication, which allows it to bypass security tools, steal data or deliver additional malware.</p><p>Another group, UNC6586, in separate incidents abused CVE-2025-55182 to download and launch the SnowLight downloader.</p><p>“SNOWLIGHT is a component of VSHELL, a publicly available multi-platform backdoor written in Go, which has been used by threat actors of varying motivations,” the GTIG researchers wrote, adding that they “observed SNOWLIGHT making HTTP GET requests to C2 infrastructure … to retrieve additional payloads masquerading as legitimate files.”</p><p>There also has been multiple incidents of UNC6588 exploiting React2Shell and then downloading the Compood backdoor before executing a sample of the malware that masqueraded as Vim, a Linux-based text editor. The researchers said there wasn’t “significant follow-on activity, and this threat actor’s motivations are currently unknown.”</p><p>“COMPOOD has historically been linked to suspected China-nexus espionage activity,” they wrote. “In 2022, GTIG observed COMPOOD in incidents involving a suspected China-nexus espionage actor, and we also observed samples uploaded to VirusTotal from Taiwan, Vietnam, and China.”</p><h3>Targeting the Cloud, VPS</h3><p>Another backdoor – this one being deployed by the UNC6603 threat group – is Hisonic, an implant written the Go programming language that uses legitimate cloud services, like Cloudflare Pages and GitLab, to retrieve an encrypted configuration, according to GTIG.</p><p>“This technique allows the actor to blend malicious traffic with legitimate network activity,” the researchers wrote. “In this instance, the actor embedded an XOR-encoded configuration for the HISONIC backdoor delimited between two markers, ‘115e1fc47977812’ to denote the start of the configuration and ‘725166234cf88gxx’ to mark the end.”</p><p>Looking at the telemetry, the GTIG researchers wrote that UNC6603 likely is targeting cloud infrastructure – particularly AWS and Alibaba Cloud instances – in the Asia Pacific region.</p><p>They Chinese threat group UNC6595 is abusing React2Shell to deploy malware called Angryrebel.Linux to target infrastructure hosted on international virtual private servers, the researchers wrote.</p><p>“These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js,” the GTIG researchers wrote.</p><h3>North Korean, Iranian Groups Also in the Mix</h3><p>Other security research teams have seen threat groups linked to other countries exploiting CVE-2025-55182. Analysts with Palo Alto Neworks’ <a href="https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html" target="_blank" rel="noopener">Unit 42</a>and <a href="https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks?" target="_blank" rel="noopener">Sysdig</a> detected activity aimed at the vulnerability that had overlaps with Contagious Interview, a scheme linked to North Korean threat actors who pose as recruiters to deploy malware on the systems of people looking for IT jobs. The scams haven’t been attributed any particular group.</p><p>That said, the Unit 42 researchers wrote that another North Korean actor, UNC5342, is using the EtherHiding technique – which abuses blockchains to store and retrieve malicious payloads – to deliver malware and steal cryptocurrency.</p><p>In addition, GTIG said it also has seen threat groups linked to Iran’s government trying to exploit the React security flaw.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/12/google-finds-five-china-nexus-groups-exploiting-react2shell-flaw/" data-a2a-title="Google Finds Five China-Nexus Groups Exploiting React2Shell Flaw"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fgoogle-finds-five-china-nexus-groups-exploiting-react2shell-flaw%2F&linkname=Google%20Finds%20Five%20China-Nexus%20Groups%20Exploiting%20React2Shell%20Flaw" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fgoogle-finds-five-china-nexus-groups-exploiting-react2shell-flaw%2F&linkname=Google%20Finds%20Five%20China-Nexus%20Groups%20Exploiting%20React2Shell%20Flaw" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fgoogle-finds-five-china-nexus-groups-exploiting-react2shell-flaw%2F&linkname=Google%20Finds%20Five%20China-Nexus%20Groups%20Exploiting%20React2Shell%20Flaw" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fgoogle-finds-five-china-nexus-groups-exploiting-react2shell-flaw%2F&linkname=Google%20Finds%20Five%20China-Nexus%20Groups%20Exploiting%20React2Shell%20Flaw" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Fgoogle-finds-five-china-nexus-groups-exploiting-react2shell-flaw%2F&linkname=Google%20Finds%20Five%20China-Nexus%20Groups%20Exploiting%20React2Shell%20Flaw" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>