Multiple Threat Actors Race to Exploit React2Shell Across Espionage and Criminal Operations

Since exploitation began last week, our team at Google Threat Intelligence Group (GTIG) has been tracking widespread activity as multiple threat clusters race to leverage React2Shell (CVE-2025-55182).

Over the past week, we have observed a mix of espionage and financially motivated actors moving quickly to establish persistence and deploy custom tooling.

Here is a recap of what we are seeing in the wild:

• China-Nexus Espionage: Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.
• Financially Motivated Actors: We saw immediate exploitation to deploy XMRig cryptocurrency miners, often masquerading as legitimate system processes.
• Iran-Nexus Activity: We have also observed likely Iran-nexus actors participating in this exploitation activity.

We anticipate threat actors will continue to attempt to exploit this vulnerability in various operations targeting unpatched React and Next.js workloads globally.

We are also publishing a GTI collection of hunting IOCs related to React2Shell exploitation and post-compromise activity to aid organizations in hunting for potential compromise.

• Read the full threat intelligence report: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182
• For mitigation guidance, read “Responding to CVE-2025-55182: Secure your React and Next.js workloads”: https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182
• GTI Collection of IOCs: https://www.virustotal.com/gui/collection/f87025efaf8d9197f69338460fa92d5e98f2fcb2500ed7fd2fb8a6bb8980d9d7/summary