CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Google has also mentioned seeing React2Shell attacks conducted by Iranian threat actors. The post Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery appeared first on SecurityWeek.

React vulnerability exploited

Google has observed five China-linked threat groups exploiting the recently disclosed React2Shell vulnerability in their attacks.

React2Shell, officially tracked as CVE-2025-55182, impacts systems that use version 19 of the React user interface library, specifically instances with React Server Components (RSC). In addition to React, CVE-2025-55182 could impact a lot of applications that use Next.js, Waku, React Router, or RedwoodSDK.

CVE-2025-55182 is a critical vulnerability that can be exploited for unauthenticated remote code execution via specially crafted HTTP requests. 

React2Shell was disclosed on December 3, and exploitation started on the same day. 

AWS reported that Chinese threat actors tracked as Earth Lamia and Jackpot Panda had started exploiting the React vulnerability shortly after its public disclosure.

The Google Threat Intelligence Group (GTIG) has also monitored the web for React2Shell attacks and over the weekend reported seeing at least five other different China-linked threat groups delivering malware through exploitation of the vulnerability.

GTIG tracks Earth Lamia as UNC5454, but it has not shared any information on potentially associated attacks it may have seen. 

Instead, GTIG shared a brief description of attacks conducted by five other groups. One of them is the espionage cluster tracked as UNC6600, which has exploited React2Shell to deliver a tunneler named Minocat.

A group identified as UNC6586 has been seen using React2Shell to deploy a downloader named Snowlight, which has been leveraged to deliver other payloads disguised as legitimate files.

UNC6588 exploited CVE-2025-55182 to download a backdoor named Compood, which has typically been used by Chinese hackers in espionage campaigns. However, in this case, GTIG was unable to determine the attacker’s goals.

UNC6603 delivered a backdoor named Hisonic, and UNC6595 deployed a piece of malware tracked as Angryrebel.Linux.

Many threat actors, including profit-driven cybercriminals, have been observed exploiting React2Shell to deliver a wide range of malware.

While exploitation by Chinese and North Korean threat actors was previously reported, Google also mentioned seeing attacks conducted by Iran-linked groups. 

New React vulnerabilities

Since the disclosure of React2Shell, the existence of three other React vulnerabilities has come to light. 

While two of them have been given a ‘high severity’ rating, they can only be exploited for denial-of-service (DoS). The issues are tracked as CVE-2025-55184 and CVE-2025-67779.

The third issue, identified as CVE-2025-55183, is a medium-severity flaw that can lead to source code exposure. 

Related: Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Related: Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw

Latest News

CYBERNEWSMEDIAPublisher