Threat Research

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

GoogleCloudIntel
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

On Dec. 3, 2025, a critical unauthenticated RCE in React Server Components (CVE-2025-55182, “React2Shell”) was publicly disclosed and rapidly exploited to execute arbitrary code on vulnerable React/Next.js servers. Google Threat Intelligence Group observed multiple campaigns deploying MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, ANGRYREBEL.LINUX, and XMRIG and recommends immediate patching, WAF deployment, dependency audits, and targeted hunting. #CVE-2025-55182 #SNOWLIGHT

Keypoints

  • GTIG tracked widespread exploitation of CVE-2025-55182 (React2Shell) beginning Dec 3, 2025, affecting vulnerable React Server Components and Next.js deployments.
  • Observed payloads include MINOCAT tunneler, SNOWLIGHT downloader, HISONIC and COMPOOD backdoors, ANGRYREBEL.LINUX, and XMRIG cryptominer deployments.
  • China-nexus clusters (e.g., UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) were observed using the vulnerability for espionage and cloud infrastructure targeting; financially-motivated actors deployed XMRIG miners.
  • Adversaries used wget/cURL to fetch scripts and binaries, created persistence via cron jobs and systemd services, and leveraged legitimate cloud services to retrieve encrypted configurations.
  • GTIG provided IOCs (domains, IPs, SHA256 hashes, filenames), YARA rules, and concrete hunting guidance including detection of hidden directories, terminated processes (ntpclient), and shell-config modifications.
  • Immediate mitigations include patching React Server Components to fixed versions, deploying WAF rules (Cloud Armor), auditing dependencies, monitoring outbound connections, and hunting for post-compromise artifacts.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – CVE-2025-55182 allowed unauthenticated remote code execution via a single HTTP request (‘The flaw allows unauthenticated attackers to send a single HTTP request that executes arbitrary code with the privileges of the user running the affected web server process.’)
  • [T1105 ] Ingress Tool Transfer – Adversaries fetched and executed payloads using wget/cURL to download tools like SNOWLIGHT and COMPOOD (‘execute a command using cURL or wget to retrieve a script that then downloaded and executed a SNOWLIGHT downloader payload’).
  • [T1059 ] Command and Scripting Interpreter – Attackers executed bash scripts to create directories, kill processes, download binaries, and install persistence (‘retrieved and executed a bash script used to create a hidden directory ($HOME/.systemd-utils), kill any processes named “ntpclient”, download a MINOCAT binary’).
  • [T1053 ] Scheduled Task/Job – Adversaries created cron jobs to maintain persistence (‘establish persistence by creating a new cron job and a systemd service’).
  • [T1543 ] Create or Modify System Process – Attackers created systemd services to persist malicious binaries and miners (‘establish persistence by creating a new cron job and a systemd service’).
  • [T1090 ] Proxy – MINOCAT used an embedded FRP (Fast Reverse Proxy) client to establish tunneling for remote access (’embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – SNOWLIGHT performed HTTP GET requests to C2/staging infrastructure to retrieve additional payloads (‘SNOWLIGHT making HTTP GET requests to C2 infrastructure (e.g., reactcdn.windowserrorapis[.]com) to retrieve additional payloads’).
  • [T1036 ] Masquerading – Malware samples were renamed or placed to resemble legitimate binaries (e.g., COMPOOD as “vim”, ANGRYREBEL.LINUX masquerading as sshd) (‘The script then executed the COMPOOD sample, which masqueraded as Vim.’; ‘masquerading the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory’).
  • [T1070 ] Indicator Removal on Host – Adversaries performed timestomping and cleared shell history to impede investigations (‘timestomping to alter file timestamps and executes anti-forensics commands, such as clearing the shell history (history -c)’).
  • [T1102 ] Use of Web Services – HISONIC retrieved encrypted configuration via legitimate cloud hosting (Cloudflare Pages, GitLab) to blend malicious retrieval with benign traffic (‘utilizes legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration’).

Indicators of Compromise

  • [Domain ] SNOWLIGHT C2 and staging – reactcdn.windowserrorapis[.]com
  • [IP Address ] C2 and staging infrastructure – 82.163.22[.]139 (SNOWLIGHT C2), 45.76.155[.]14 (COMPOOD payload/staging)
  • [IP Address ] Additional staging – 216.158.232[.]43 (staging server for sex.sh script)
  • [SHA256 ] Malware and tool samples – df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540 (HISONIC), 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a, and 4 more hashes
  • [File Name ] Downloader and payload filenames – sex.sh (XMRIG downloader script), linux_amd64 (SNOWLIGHT sample)
  • [File Name ] Masqueraded binary – vim (COMPOOD sample staged and executed as ‘vim’)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/