“`html
The Google Threat Intelligence Group (GTIG) has released an alert concerning the extensive exploitation of a significant security vulnerability in React Server Components.
Identified as React2Shell (CVE-2025-55182), this weakness permits attackers to remotely seize control of servers without requiring any passwords.
Since the announcement of the vulnerability on December 3, 2025, Google has detected numerous separate hacker groups taking advantage of the flaw.
The attackers encompass a spectrum from state-sponsored espionage entities to cybercriminals pursuing financial rewards.
Threat Actors and Malware Campaigns
Google investigators have discovered several campaigns aimed at unpatched systems. Important findings comprise:
- China-Linked Espionage: Groups associated with China are utilizing React2Shell to implement backdoors and covert tools. One group, UNC6600, installs the MINOCAT tunneler to retain concealed access to victim networks. Another faction, UNC6603, employs an updated variant of the HISONIC backdoor, which conceals its traffic through communication with legitimate services like Cloudflare.
- Financial Cybercrime: Opportunistic attackers are exploiting the vulnerability to deploy cryptocurrency miners. In a specific instance, criminals implemented XMRig to generate digital currency utilizing the processing power of the victim’s servers.
- Additional Risks: Other discovered malware includes the SNOWLIGHT downloader and the COMPOOD backdoor, both used for data theft or to load further malicious software.
React2Shell has been assigned a maximum severity rating of 10.0 (CVSS v3). It influences certain versions of React and Next.js, widely-used frameworks for constructing modern websites. Due to the popularity of these tools, many organizations remain vulnerable.
Google cautions that legitimate exploit code is now publicly accessible, simplifying the process for attackers to engage.
While some initial exploit tools were either fake or defective, practical methods—such as tools capable of installing web shells directly into memory—are now in circulation.
Security professionals urge administrators to immediately patch affected systems. Organizations utilizing Next.js or React Server Components should confirm they are operating secure versions to avert unauthorized access.
IoC
| Indicator | Type | Description |
reactcdn.windowserrorapis[.]com |
Domain | SNOWLIGHT C2 and Staging Server |
82.163.22[.]139 |
IP Address | SNOWLIGHT C2 Server |
216.158.232[.]43 |
IP Address | Staging server for sex.sh script |
45.76.155[.]14 |
IP Address | COMPOOD C2 and Payload Staging Server |
df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540 |
SHA256 | HISONIC sample |
92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3 |
SHA256 | HISONIC sample |
0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696 |
SHA256 | ANGRYREBEL.LINUX sample |
13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274 |
SHA256 | XMRIG Downloader Script (filename: sex.sh) |
7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a |
SHA256 | SNOWLIGHT sample (filename: linux_amd64) |
776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273 |
SHA256 | MINOCAT sample |
“`