**Google Links More Chinese Hacking Groups to React2Shell Attacks**

A weekend revelation from Google's threat intelligence team has exposed a disturbing trend in the world of cyber espionage. The company's researchers have linked five more Chinese hacking groups to attacks exploiting the maximum-severity "React2Shell" remote code execution vulnerability.

This vulnerability, tracked as CVE-2025-55182, affects the React open-source JavaScript library and allows unauthenticated attackers to execute arbitrary code in React and Next.js applications with a single HTTP request.

The React2Shell flaw was first disclosed on December 3, but it has become clear that its impact extends far beyond what was initially thought. Palo Alto Networks reported that dozens of organizations had been breached, including incidents linked to Chinese state-backed threat actors.

These attackers are exploiting the flaw to execute commands and steal AWS configuration files, credentials, and other sensitive information.

The Amazon Web Services (AWS) security team also warned that the China-linked Earth Lamia and Jackpot Panda threat actors had begun exploiting React2Shell within hours of the vulnerability's disclosure. This rapid response highlights the severity of the situation.

**Five More Chinese Hacking Groups Linked to Attacks**

On Saturday, the Google Threat Intelligence Group (GTIG) reported detecting at least five more Chinese cyber-espionage groups joining ongoing React2Shell attacks:

* **UNC6600**: Deployed MINOCAT tunneling software * **UNC6586**: Used SNOWLIGHT downloader * **UNC6588**: Distributed COMPOOD backdoor payload * **UNC6603**: Updated version of the HISONIC backdoor * **UNC6595**: ANGRYREBEL.LINUX Remote Access Trojan

GTIG researchers noted that "due to the use of React Server Components (RSC) in popular frameworks like Next.js, there are a significant number of exposed systems vulnerable to this issue." They also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads where threat actors shared links to scanning tools, proof-of-concept code, and their experiences using these tools.

**Global Impact**

While investigating these attacks, GTIG spotted Iranian threat actors targeting the flaw and financially motivated attackers deploying XMRig cryptocurrency mining software on unpatched systems. Shadowserver Internet watchdog group is currently tracking over 116,000 IP addresses vulnerable to React2Shell attacks, with over 80,000 in the United States.

GreyNoise has also observed over 670 IP addresses attempting to exploit the React2Shell remote code execution flaw over the past 24 hours, primarily originating from the United States, India, France, Germany, the Netherlands, Singapore, Russia, Australia, the United Kingdom, and China.

**Critical Response**

On December 5, Cloudflare linked a global website outage to emergency mitigations for the React2Shell vulnerability. This highlights the critical need for organizations to address this flaw immediately.

The React2Shell flaw is not just an IT problem; its impact ripples across entire businesses. It's essential for organizations to break down IAM silos and implement scalable strategies to prevent such attacks in the future.