React2Shell (CVE-2025-55182) is a critical unauthenticated remote code execution vulnerability in React Server Components that allows attackers to deliver malicious Flight payloads and achieve code execution on servers running React 19.x with Server Components. It was rapidly weaponized with public PoCs, Metasploit modules, large-scale scanning, confirmed compromises, and nation-state exploitationāforcing KEV listing and causing operational impacts reported by providers like Cloudflare. #React2Shell #CVE-2025-55182
Tag: INITIAL ACCESS
Over 77,000 IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with attackers already compromising over 30 organizations. Widespread exploitation involves Chinese threat actors using PowerShell and malware like Snowlight and Vshell to access and control affected systems. #React2Shell #CVE-2025-55182 #ChineseThreatActors
Two hacking groups linked to China quickly exploited a critical React Server Components vulnerability, CVE-2025-55182, after its public disclosure. This exploit activity was observed targeting various sectors across multiple regions, highlighting a broad and systematic attack effort. #React2Shell #ChinaLinkedThreatActors…
Sophos linked nearly 40 STAC6565 intrusions (Feb 2024āAug 2025) to the GOLD BLADE group, which has evolved from espionage into a hybrid operation that mixes targeted data theft with selective ransomware deployment using a custom locker called QWCrypt. The group refines RedLoader delivery chains, abuses recruitment platforms to deliver weaponized resumes, leverages BYOVD drivers and modified Terminator tools for EDR evasion, and uses RPivot/Chisel for tunneled C2. #GOLD_BLADE #QWCrypt
CISA has revealed details of BRICKSTORM, a sophisticated backdoor used by Chinese state-sponsored threat actors to maintain long-term access on VMware vSphere and Windows systems. The malware is employed in targeting government and IT sectors, supporting covert command-and-control operations through various protocols and concealment techniques. #BRICKSTORM #WarpPanda…
A new report reveals that Intellexa’s Predator spyware has been used to target civil society members in Pakistan and potentially other countries, employing sophisticated zero-day exploits and various infection vectors. Despite international sanctions and public scrutiny, the company continues to develop and deploy invasive surveillance tools with possible human rights violations….
CrowdStrike tracked a China-nexus adversary dubbed WARP PANDA conducting persistent, stealthy intrusions against VMware vCenter and ESXi environments across U.S. legal, technology, and manufacturing organizations, deploying BRICKSTORM, JSP web shells, and two new Golang implants named Junction and GuestConduit. The actor exploited internet-facing edge device and vCenter vulnerabilities, tunneled traffic and…
Attackers exploited a GitHub Actions injection vulnerability in Nxās workflow to steal an NPM publishing token, push malicious Nx packages, and use those packages to harvest credentials, SSH keys, and crypto wallets from developer systems. The campaign evolved into a self-replicating NPM supply-chain worm called Shai-Hulud that registers compromised hosts as self-hosted GitHub Actions runners and uses GitHub Discussions as a stealthy C2 channel. #ShaiHulud #Nx
DigitStealer is a macOS information stealer delivered as an unsigned DynamicLake.dmg that runs almost entirely in memory and abuses JavaScript for Automation (JXA) and AppleScript to harvest high-value data. It enforces geographic and Apple Silicon M2+ hardware checks, fetches four in-memory payloads (AppleScript stealer, two obfuscated JXA modules, and a LaunchAgent backdoor using DNS TXT for C2), and tampers with Ledger Live to enable seed-phrase exfiltration. #DigitStealer #LedgerLive
Anthropic disclosed that a China-nexus group, tracked as GTG-1002, used an AI agent to run roughly 80ā90% of a live cyber-espionage campaign that targeted about 30 entities and produced several confirmed intrusions. The operation chained thousands of small, routine-looking tasks through a Claude Code + MCP-based orchestrator, enabling high-speed reconnaissance, exploitation, credential abuse, lateral movement, and exfiltration. #GTG-1002 #PromptLock
U.S. and Canadian cybersecurity agencies warn that China-sponsored threat actors are exploiting BRICKSTORM malware to compromise VMware vSphere environments and gain long-term access. These attacks primarily target government and IT sectors, enabling threat actors to steal data and create rogue VMs. #BRICKSTORM #PRCThreatActors…
Microsoft Deputy CISO Damon Becknel outlines four immediate security prioritiesābasic cyber hygiene, modern standards and protocols, fingerprinting to identify bad actors, and increased collaborationāto reduce common, preventable online attacks. The post emphasizes practical actions like inventorying assets, enforcing phishing-resistant MFA, patching, network segmentation, DNS and SMTP hardening, and using fingerprinting and threat intelligence sharing to raise the cost for attackers. #Microsoft #EWS
Researchers observed a new variant of the ClayRat Android spyware that abuses Accessibility Services and Default SMS privileges to perform keylogging, automatic lock-screen unlocking, screen recording, persistent overlays, fake interactive notifications, notification harvesting, camera capture, and mass SMS/call functionality. The campaign distributed over 700 unique APKs via phishing domains and cloud hosting (Dropbox), impersonating services like YouTube and Car Scanner ELM while Zimperium reports on-device protections detect and mitigate these attacks. #ClayRat #Zimperium
North Korean APT Lazarus, specifically the Famous Chollima division, ran a large-scale social-engineering campaign recruiting remote IT workers to infiltrate U.S. finance, crypto/Web3, and other sectors for corporate espionage and regime funding. BCA LTD, NorthScan and ANY.RUN exposed the operation by engaging a recruiter, trapping operators in extended ANY.RUN sandboxes, and…
Recent cybersecurity incidents highlight the evolving tactics of hackers targeting DeFi protocols, malware, phishing campaigns, and critical infrastructure. Staying aware of these threats is essential to protect sensitive data, financial assets, and online trust. #YearnFinance #BPFDoor…