Google Threat Intelligence Group (GTIG) has issued a warning regarding the widespread exploitation of a critical security flaw in React Server Components.
Known as React2Shell (CVE-2025-55182), this vulnerability allows attackers to take control of servers remotely without needing a password.
Since the vulnerability was disclosed on December 3, 2025, Google has observed multiple distinct hacker groups abusing the flaw.
The attackers range from state-sponsored espionage groups to cybercriminals looking for financial gain.
Threat Actors and Malware Campaigns
Google researchers have identified several campaigns targeting unpatched systems. Key observations include:
- China-Nexus Espionage: Groups linked to China are using React2Shell to deploy backdoors and stealthy tools. One group, UNC6600, installs the MINOCAT tunneler to maintain hidden access to victim networks. Another group, UNC6603, uses an updated version of the HISONIC backdoor, which hides its traffic by communicating through legitimate services like Cloudflare.
- Financial Cybercrime: Opportunistic attackers are using the flaw to install cryptocurrency miners. In one case, criminals deployed XMRig to generate digital currency using the victim’s server power.
- Additional Threats: Other identified malware includes the SNOWLIGHT downloader and the COMPOOD backdoor, both used to steal data or load further malicious software.
React2Shell is rated with a maximum severity score of 10.0 (CVSS v3). It affects specific versions of React and Next.js, popular frameworks used to build modern websites. Because these tools are widely used, many organisations are currently exposed.
Google warns that legitimate exploit code is now publicly available, making it easier for attackers to strike.
While some early exploit tools were fake or broken, functional methods including tools that can install web shells directly into memory are now in circulation.
Security experts urge administrators to patch affected systems immediately. Organizations using Next.js or React Server Components should verify they are running secure versions to prevent unauthorized access.
IoC
| Indicator | Type | Description |
reactcdn.windowserrorapis[.]com |
Domain | SNOWLIGHT C2 and Staging Server |
82.163.22[.]139 |
IP Address | SNOWLIGHT C2 Server |
216.158.232[.]43 |
IP Address | Staging server for sex.sh script |
45.76.155[.]14 |
IP Address | COMPOOD C2 and Payload Staging Server |
df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540 |
SHA256 | HISONIC sample |
92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3 |
SHA256 | HISONIC sample |
0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696 |
SHA256 | ANGRYREBEL.LINUX sample |
13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274 |
SHA256 | XMRIG Downloader Script (filename: sex.sh) |
7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a |
SHA256 | SNOWLIGHT sample (filename: linux_amd64) |
776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273 |
SHA256 | MINOCAT sample |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
