Google Warns Multiple Hacker Groups Are Exploiting React2Shell to Spread Malware
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Google Threat Intelligence Group (GTIG) has issued a warning regarding the widespread exploitation of a critical security flaw in React Server Components<\/a>. <\/p>\n Known as\u00a0React2Shell (CVE-2025-55182<\/a>), this vulnerability allows attackers to take control of servers remotely without needing a password.<\/p>\n Since the vulnerability was disclosed on December 3, 2025, Google has observed multiple distinct hacker groups abusing the flaw. <\/p>\n The attackers range from state-sponsored espionage groups to cybercriminals looking for financial gain.<\/p>\n Google researchers have identified <\/a>several campaigns targeting unpatched systems. Key observations include:<\/p>\n React2Shell is rated with a maximum severity score of\u00a010.0 (CVSS v3). It affects specific versions of React and Next.js<\/a>, popular frameworks used to build modern websites. Because these tools are widely used, many organisations are currently exposed.<\/p>\n Google warns that legitimate exploit code is now publicly available, making it easier for attackers to strike. <\/p>\n While some early exploit tools were fake or broken, functional methods including tools that can install web shells directly into memory are now in circulation.<\/p>\n Security experts urge administrators to patch affected systems immediately. Organizations using\u00a0Next.js\u00a0or\u00a0React Server Components\u00a0should verify they are running secure versions to prevent unauthorized access.<\/p>\n IoC<\/strong><\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Google Warns Multiple Hacker Groups Are Exploiting React2Shell to Spread Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThreat Actors and Malware Campaigns<\/strong><\/h2>\n
\n
\n\n
\n Indicator<\/strong><\/td>\n Type<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n \n reactcdn.windowserrorapis[.]com<\/code><\/td>\nDomain<\/td>\n SNOWLIGHT\u00a0C2 and Staging Server<\/td>\n<\/tr>\n \n 82.163.22[.]139<\/code><\/td>\nIP Address<\/td>\n SNOWLIGHT\u00a0C2 Server<\/td>\n<\/tr>\n \n 216.158.232[.]43<\/code><\/td>\nIP Address<\/td>\n Staging server for sex.sh script<\/td>\n<\/tr>\n \n 45.76.155[.]14<\/code><\/td>\nIP Address<\/td>\n COMPOOD\u00a0C2 and Payload Staging Server<\/td>\n<\/tr>\n \n df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540<\/code><\/td>\nSHA256<\/td>\n HISONIC\u00a0sample<\/td>\n<\/tr>\n \n 92064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3<\/code><\/td>\nSHA256<\/td>\n HISONIC\u00a0sample<\/td>\n<\/tr>\n \n 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696<\/code><\/td>\nSHA256<\/td>\n ANGRYREBEL.LINUX\u00a0sample<\/td>\n<\/tr>\n \n 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274<\/code><\/td>\nSHA256<\/td>\n XMRIG\u00a0Downloader Script\u00a0(filename: sex.sh)<\/td>\n<\/tr>\n \n 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a<\/code><\/td>\nSHA256<\/td>\n SNOWLIGHT\u00a0sample (filename: linux_amd64)<\/td>\n<\/tr>\n \n 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273<\/code><\/td>\nSHA256<\/td>\n MINOCAT\u00a0sample<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n