好的,我需要帮用户总结这篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我得通读整篇文章,抓住主要信息。 文章讲的是五个与中国有关的网络威胁组织利用React2Shell漏洞进行间谍活动和财务攻击。Google的威胁研究人员指出,这些组织迅速行动,在漏洞披露后几小时内就开始攻击。受影响的包括使用React Server Components和Next.js框架的系统。 具体来说,这些组织利用漏洞部署了不同的恶意软件,比如Minocat、SnowLight、Compood和Hisonic等。这些恶意软件通过隐藏在正常网络流量中来规避安全工具,窃取数据或传播更多恶意软件。 此外,文章还提到除了中国相关的组织外,还有朝鲜和伊朗的威胁组织也在利用这个漏洞进行攻击。这显示了React2Shell漏洞的广泛影响和严重性。 总结时需要涵盖主要点:五个中国相关的组织、利用React2Shell漏洞、间谍活动和财务攻击、受影响的技术框架以及具体的恶意软件例子。同时要简洁明了,控制在100字以内。 最后检查一下字数是否符合要求,并确保没有遗漏关键信息。 </think> 五个与中国有关的网络威胁组织正在利用React2Shell漏洞进行间谍活动和财务攻击。这些组织迅速行动,在漏洞披露后几小时内就开始针对使用React Server Components和Next.js框架的系统展开攻击,并部署了多种恶意软件以窃取数据或传播更多恶意代码。 2025-12-16 22:11:59 Author: securityboulevard.com(查看原文) 阅读量:1 收藏
At least five China-nexus threat groups are exploiting the high-profile React2Shell vulnerability in cyberespionage and financially motivated attacks, according to threat researchers with Google.
The groups are among an expanding number of bad actors that have targeted the maximum-severity security flaw – tracked as CVE-2025-55182 – in React Server Components (RSC) due to broad use of RSC and associated frameworks, including Next.js, and the relatively easy exploitability of the vulnerability.
Researchers with Google Threat Intelligence Group (GTIC) said in a recent report that they, like other threat analysts, saw rapid and widespread exploitation attempts within hours of the unauthenticated remote code execution (RCE) vulnerability being disclosed December 3, with Amazon Web Services (AWS) pointing to multiple Chinese-linked threat groups, including like Earth Lamia and Jackpot Panda, among them.
In their report, GTIG researchers focused on groups linked to the People’s Republic of China (PRC) and their efforts to compromise targeted networks around the world.
The China Five
One group, which GTIG tracks as UNC6600, is exploiting React2Shell to deliver Minocat, its custom Linux tunneler. Such malware uses techniques to hide its malicious traffic among normal network communication, which allows it to bypass security tools, steal data or deliver additional malware.
Another group, UNC6586, in separate incidents abused CVE-2025-55182 to download and launch the SnowLight downloader.
“SNOWLIGHT is a component of VSHELL, a publicly available multi-platform backdoor written in Go, which has been used by threat actors of varying motivations,” the GTIG researchers wrote, adding that they “observed SNOWLIGHT making HTTP GET requests to C2 infrastructure … to retrieve additional payloads masquerading as legitimate files.”
There also has been multiple incidents of UNC6588 exploiting React2Shell and then downloading the Compood backdoor before executing a sample of the malware that masqueraded as Vim, a Linux-based text editor. The researchers said there wasn’t “significant follow-on activity, and this threat actor’s motivations are currently unknown.”
“COMPOOD has historically been linked to suspected China-nexus espionage activity,” they wrote. “In 2022, GTIG observed COMPOOD in incidents involving a suspected China-nexus espionage actor, and we also observed samples uploaded to VirusTotal from Taiwan, Vietnam, and China.”
Targeting the Cloud, VPS
Another backdoor – this one being deployed by the UNC6603 threat group – is Hisonic, an implant written the Go programming language that uses legitimate cloud services, like Cloudflare Pages and GitLab, to retrieve an encrypted configuration, according to GTIG.
“This technique allows the actor to blend malicious traffic with legitimate network activity,” the researchers wrote. “In this instance, the actor embedded an XOR-encoded configuration for the HISONIC backdoor delimited between two markers, ‘115e1fc47977812’ to denote the start of the configuration and ‘725166234cf88gxx’ to mark the end.”
Looking at the telemetry, the GTIG researchers wrote that UNC6603 likely is targeting cloud infrastructure – particularly AWS and Alibaba Cloud instances – in the Asia Pacific region.
They Chinese threat group UNC6595 is abusing React2Shell to deploy malware called Angryrebel.Linux to target infrastructure hosted on international virtual private servers, the researchers wrote.
“These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js,” the GTIG researchers wrote.
North Korean, Iranian Groups Also in the Mix
Other security research teams have seen threat groups linked to other countries exploiting CVE-2025-55182. Analysts with Palo Alto Neworks’ Unit 42and Sysdig detected activity aimed at the vulnerability that had overlaps with Contagious Interview, a scheme linked to North Korean threat actors who pose as recruiters to deploy malware on the systems of people looking for IT jobs. The scams haven’t been attributed any particular group.
That said, the Unit 42 researchers wrote that another North Korean actor, UNC5342, is using the EtherHiding technique – which abuses blockchains to store and retrieve malicious payloads – to deliver malware and steal cryptocurrency.
In addition, GTIG said it also has seen threat groups linked to Iran’s government trying to exploit the React security flaw.
Recent Articles By Author
如有侵权请联系:admin#unsafe.sh