INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
React2Shell Exploit Found
| 2026-02-20 21:07 HIGH HIGHExecutive Summary AI-generated
A threat actor is reportedly targeting major industries worldwide, particularly in the US government and defense sectors. The group behind this reconnaissance effort has been linked to state-sponsored actors from Iran and North Korea. Researchers have identified a cyber espionage campaign using opportunistic exploitation of Linux-specific payloads against Windows endpoints, suggesting that attackers may be seeking big game targets such as financial institutions and industrial organizations. This early stage of reconnaissance precedes actual attacks, highlighting the potential for future malicious activities.
Technical Mitigations AI-generated
* Implement robust patching and vulnerability scanning: Ensure that all systems, networks, and applications receive timely patches for React2Shell to prevent exploitation. Regularly scan for vulnerabilities using automated tools like Nessus or OpenVAS.
* Use secure coding practices: Implement secure coding guidelines in development teams to reduce the likelihood of introducing new vulnerabilities into codebases. This includes following best practices for input validation, error handling, and memory management.
* Monitor network traffic and system logs: Continuously monitor network traffic and system logs for suspicious activity that may indicate React2Shell exploitation. Use tools like Wireshark or ELK Stack to analyze log data.
* Implement rate limiting and IP blocking: Implement rate limiting on public-facing services and block known IP addresses suspected of being involved in React2Shell attacks. This can help prevent the spread of malware and reduce the effectiveness of botnets.
* Use secure communication protocols: Ensure that all communication between systems, networks, or applications uses secure protocols like TLS/SSL to protect data in transit. Avoid using insecure protocols like HTTP/1.0 or FTP for sensitive information.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-66478CVE-2025-66478
CVE-2025-55182CVE-2025-55182
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
energyenergy
governmentgovernment
financefinance
defensedefense
Incident Timeline
Dec. 3, 2025
Hackers used a new tool to scan for React2Shell exposure.
Click on any entity below to view its context and source!
organisation
CVE-2025-55182
Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as
CVE-2025-55182
(aka "React2Shell"), was publicly disclosed.
Hackers Go Big Game Hunting
CVE-2025-55182, also known as React2Shell, was first
disclosed publicly
on Dec. 3, 2025.
tactic
Remote Code Execution
Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as
CVE-2025-55182
(aka "React2Shell"), was publicly disclosed.
tactic
T1584.004 - Server
Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as
CVE-2025-55182
(aka "React2Shell"), was publicly disclosed.
2026-02-20
Chinese state-sponsored attackers began exploiting React2Shell, a vulnerability in React Server Components with a CVSS v3.x score of 10.0 and a CVSS v4 score of 9.3, in cloud and enterprise environments shortly after its disclosure.
Click on any entity below to view its context and source!
organisation
CVE-2025
In this blog post we focus on China-nexus espionage and financially motivated activity,
but we have additionally observed Iran-nexus actors exploiting CVE-2025-55182
.
organisation
Earth Lamia
Amazon Web Services (AWS)
reporting
indicates that China-nexus threat groups Earth Lamia and Jackpot Panda are also exploiting this vulnerability.
organisation
Google
For information on how Google is protecting customers and mitigation guidance, please refer to our companion blog post,
Responding to CVE-2025-55182:
organisation
CVSS
CVE-2025-55182 Overview
CVE-2025-55182 is an unauthenticated RCE vulnerability in React Server Components with a CVSS v3.x score of 10.0 and a CVSS v4 score of 9.3.
That's why it earned a rare, maximum-severity 10 out of 10 in the
Common Vulnerability Scoring System
(CVSS).
infrastructure
19.0
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
infrastructure
19.1.0
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
infrastructure
19.1.1
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
infrastructure
19.2.0
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
organisation
CVE
Additionally, there was a separate CVE issued for Next.js (CVE-2025-66478); however, this CVE has since been marked as a duplicate of CVE-2025-55182.
organisation
Observed Exploitation Activity
Since
Observed Exploitation Activity
Since exploitation of CVE-2025-55182 began, GTIG has observed diverse payloads and post-exploitation behaviors across multiple regions and industries.
organisation
CVE-2025-55182
That means many standard dependency scanning tools don't automatically flag Next.js installations as vulnerable to CVE-2025-55182.
organisation
RSC
Due to the use of React Server Components (RSC) in popular frameworks like Next.js, there are a significant number of exposed systems vulnerable to this issue.
infrastructure
Linux
MINOCAT is an 64-bit ELF executable for Linux that includes a custom "NSS" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.
We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems.
organisation
ELF
MINOCAT is an 64-bit ELF executable for Linux that includes a custom "NSS" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.
organisation
NSS
MINOCAT is an 64-bit ELF executable for Linux that includes a custom "NSS" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.
organisation
FRP
MINOCAT is an 64-bit ELF executable for Linux that includes a custom "NSS" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.
infrastructure
Windows
We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems.
organisation
MINOCAT
GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by
Huntress
.
organisation
HISONIC
GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by
Huntress
.
organisation
COMPOOD
GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by
Huntress
.
organisation
XMRIG
GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by
Huntress
.
organisation
GitHub
An example of a repository that started out wholly non-functional is this
repository
published by the GitHub user "
ejpir
", which, while
initially claiming
to be a legitimate functional exploit, has now updated their README to appropriately label their initial research claims as AI-generated and non-functional.
organisation
UNC5454
GTIG tracks Earth Lamia as UNC5454.
organisation
VSHELL
SNOWLIGHT is a component of VSHELL, a publicly available multi-platform backdoor written in Go, which has been used by threat actors of varying motivations.
organisation
the Bank of New York Mellon
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
Goldman Sachs
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
Santander US Capital Markets
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
JPMorgan Chase
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
Salesforce
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
Visa
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
Disney
Energy
The state governments of Vermont and North Carolina
The city governments of Phoenix, Boston, and San Diego
Large financial institutions, including the Bank of New York Mellon, Goldman Sachs, Santander US Capital Markets, and JPMorgan Chase
Major corporations of all kinds, like Salesforce, Netflix, Visa, Paypal, and Disney
Energy sector organizations, including regional utilities, and possibly more kinds of industrial targets
Related:
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Pinging a network isn't the same thing as compromising it.
organisation
React2Shell Exposure
Attackers Use New Tool to Scan for React2Shell Exposure.
organisation
Huntress
"What's been most striking over the past couple of months is how the threat landscape around this vulnerability has evolved in layers," says Anna Pham, senior hunt and response analyst at Huntress.
organisation
Claude Code Put Developers' Machines
"
Related:
Flaws in Claude Code Put Developers' Machines at Risk
A few months later, the situation has
yet to calm down
, Pham says.
organisation
React2Shell
"There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals.
organisation
PeerBlight
We are seeing things like PeerBlight's use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns," Phams says.
organisation
the BitTorrent DHT
We are seeing things like PeerBlight's use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns," Phams says.
organisation
Log4Shell
Severe globe-spanning RCE vulnerabilities like React2Shell and
Log4Shell
offer immense opportunity for hackers.
organisation
IP
Some IP addresses used to launch
React2Shell attacks
in recent months first showed up in network telemetry, on average, around 45 days before they pulled the trigger.
organisation
React2Shell Patching
React2Shell Patching Issues
Patching a deep-rooted vulnerability like React2Shell isn't as simple as clicking an "Update" button.
Dec. 12
Threat actors used a new tool to scan for potential React2Shell exposure in China-nexus targeted networks.
Click on any entity below to view its context and source!
source_region
China
China-Nexus Activity
As of Dec. 12, GTIG has identified multiple China-nexus threat clusters utilizing CVE-2025-55182 to compromise victim networks globally.
vulnerability
CVE-2025-55182
China-Nexus Activity
As of Dec. 12, GTIG has identified multiple China-nexus threat clusters utilizing CVE-2025-55182 to compromise victim networks globally.
organisation
China-Nexus Activity
As
China-Nexus Activity
As of Dec. 12, GTIG has identified multiple China-nexus threat clusters utilizing CVE-2025-55182 to compromise victim networks globally.
Tactical Metrics
Metrics
infrastructure
19.0
Software Version
Click for context!
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
Metrics
infrastructure
19.1.0
Software Version
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
Metrics
infrastructure
19.1.1
Software Version
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
Metrics
infrastructure
19.2.0
Software Version
The specific RSC packages that are vulnerable to CVE-2025-55182 are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
A large number of non-functional exploits, and consequently false information regarding viable payloads and exploitation logic, were widely distributed about this vulnerability during the initial days after disclosure.
Metrics
infrastructure
Linux
Affected Product
MINOCAT is an 64-bit ELF executable for Linux that includes a custom "NSS" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.
We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems.
Metrics
infrastructure
Windows
Affected Product
We actually caught attackers running Linux-specific payloads against Windows endpoints, which told us pretty clearly that the automation wasn't even differentiating between target operating systems.
Intelligence Sources
Mandiant
2025-12-12
Dark Reading
2026-02-20
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:05
Comprehensive Tactical Telemetry
Highly Correlated Entities
35x
organisation
Identified Entity
CVE-2025
entity
6x
attribution
Attributing Entity
Google Threat Intelligence Group
authority
5x
tactic
Cyber Operation Type
Espionage
tactic
4x
source region
Origin Country
China
country
4x
timeline
Temporal Reference
Dec. 12
date
4x
tactic
MITRE ATT&CK Technique
T1584.006 - Web Services
technique
4x
infrastructure
Software Version
19.0
version
4x
industry
Targeted Sector
Government
sector
2x
vulnerability
Exploited CVE
CVE-2025-55182
cve
2x
infrastructure
Affected Product
Linux
software
Contextual Telemetry
Context Block
6 METRICS
general metric
Versions
19
versions
general metric
Bit
64
bit
target region
Target Country
United States
country
source region
Origin Region
DPRK
region
general metric
Networks
37,000
networks
general metric
Severity
10
severity
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.