Building on earlier PeerBlight attacks, Google Threat Intelligence reports exploitation of the React2Shell vulnerability (CVE-2025-55182) by China-nexus clusters and financially motivated actors deploying backdoors and cryptocurrency miners on vulnerable React and Next.js systems.
As detailed in prior coverage of the PeerBlight Linux backdoor campaign exploiting React2Shell (CVE-2025-55182)—a critical RCE flaw in React Server Components disclosed December 3, 2025—additional threat actors have intensified attacks. The vulnerability (CVSS 10.0) affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 due to improper payload decoding, enabling unauthenticated code execution via crafted HTTP requests.
Google Threat Intelligence Group (GTIG) observed campaigns by China-nexus groups UNC6600, UNC6586, UNC6588, and UNC6603 shortly after disclosure. UNC6600 deploys MINOCAT tunneling via cron jobs and systemd; UNC6586 uses SNOWLIGHT downloader linking to reactcdn.windowserrorapis[.]com; UNC6603 employs an updated Go-based HISONIC backdoor hosted on Cloudflare/GitLab, targeting Asia-Pacific clouds. Additional malware includes COMPOOD backdoor (masquerading as utilities) and ANGRYREBEL.LINUX (SSH daemon mimic with timestomping).
From December 5, financially motivated actors deployed XMRig miners using sex.sh, creating fake 'system-update-service' systemd services. Exploit repos, including in-memory webshells, are proliferating.
Mitigate by upgrading to React 19.0.1, 19.1.2, or 19.2.1+, using Cloud Armor WAF, monitoring for IOCs like $HOME/.systemd-utils, IPs 45.76.155[.]14 and 82.163.22[.]139, and GTIG’s VirusTotal hashes for MINOCAT, COMPOOD, SNOWLIGHT.
