Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

Executive Summary
Update Dec. 9, 2025
Unit 42 has identified activity that reportedly shares overlap with North Korean (DPRK) Contagious Interview tooling, though no formal attribution has occurred at this time. Contagious Interview is a campaign where threat actors associated with the DPRK pose as recruiters to install malware on the devices of job seekers in the tech industry.
The observed activity includes EtherRAT. The DPRK threat actor UNC5342 is reportedly utilizing the EtherHiding technique for malware delivery and cryptocurrency theft. EtherHiding leverages blockchain technology to store and retrieve malicious payloads.
Additionally, we’ve observed instances of the Linux backdoor BPFDoor. This is a Linux implant attributed to Chinese-linked threat actor Red Menshen.
Lastly, Unit 42 has detected multiple instances of a previously undocumented Auto-color backdoor. Auto-color masquerades as a legitimate Pluggable Authentication Module (PAM) library (pamssod).
Further details are in the Scope of Post-Exploitation Activity section.
Update Dec. 8, 2025
Unit 42 has observed post-exploitation activity following the exploitation of CVE-2025-55182 indicating multiple vectors of attack. This attack included initial reconnaissance that involved automated scanning for the remote code execution (RCE) vulnerability as well as Base64-encoded commands to:
Rapidly fingerprint compromised systems
Verify privilege levels
Map network interfaces
Enumerate sensitive credentials and DNS configurations
Retrieve malicious binaries from attacker-controlled C2
Attackers proceeded with installation activities, leveraging wget and curl to download and execute malicious scripts, including sex.sh and a Linux dropper (x86_64) designed for persistent infection. In one instance, we identified a bash reverse shell connected to a probable Cobalt Strike server.
Additionally, we observed activity consistent with an activity cluster we track as CL-STA-1015, an initial access broker (IAB) with suspected ties to the PRC’s Ministry of State Security. This activity involved the fileless execution of a malicious shell script (slt) via curl or wget, followed by the installation of SNOWLIGHT and VShell Trojans.
Further details are in the Scope of Post-Exploitation Activity section.
On Dec. 3, 2025, researchers publicly disclosed critical remote code execution (RCE) vulnerabilities in the Flight protocol used by React Server Components (RSC).
Originally, the flaw was tracked as two vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Both were assigned a maximum severity rating of CVSS 10.0.
CVE-2025-66478 has since been rejected as a duplicate of CVE-2025-55182.
The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests. Testing indicates the exploit has near-100% reliability and requires no code changes to be effective against default configurations. While there were no reports of exploitation in the wild as of Dec. 3, 2025, Unit 42 has since observed post-exploitation activity, as detailed in our updates.
React is heavily implemented in enterprise environments, used by roughly 40% of all developers, while Next.js is used by approximately 18%-20%. This makes it the leading server-side framework for the React ecosystem.
Palo Alto Networks Cortex Xpanse has identified the presence of over 968,000 React and Next.js instances in our telemetry.
CVE-2025-55182 impacts the React 19 ecosystem and frameworks that implement it. Specifically, it affects the following versions:
React: Versions 19.0, 19.1, and 19.2
Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0
Other frameworks: Any library bundling the react-server implementation, including React Router, Waku, RedwoodSDK, Parcel and Vite RSC plugins
Palo Alto Networks customers receive protections from and mitigations for CVE-2025-55182 in the following ways:
Advanced URL Filtering and Advanced DNS Security
Next-Generation Firewall with the Advanced Threat Prevention security subscription
Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach
Cortex Xpanse is designed to identify exposed devices and applications on the public internet and escalate these findings to defenders
Cortex Cloud and Prisma Cloud both have detection capabilities for cloud resources exposed to the vulnerability discussed in this brief
Palo Alto Networks also recommends upgrading to the following hardened versions immediately:
React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5
The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
Vulnerabilities Discussed CVE-2025-55182, CVE-2025-66478
Details of the Vulnerability: CVE-2025-55182 (React)
CVE-2025-55182 is classified as Critical (CVSS 10.0) and is caused by insecure deserialization within the RSC architecture, specifically involving the Flight protocol.
The vulnerability resides in the react-server package and its implementation of the RSC Flight protocol. It is a logical deserialization flaw where the server processes RSC payloads safely.
When a server receives a specially crafted, malformed HTTP payload (typically through data delivered in a POST request), it fails to correctly validate the structure of the data. Because of this insecure deserialization, the server allows attacker-controlled data to influence server-side execution logic.
This results in RCE, allowing an attacker to execute arbitrary privileged JavaScript code on the server.
Attack Vector and Exploitability
Attack complexity: The attack complexity is low. It requires no user interaction and no privileges (unauthenticated).
Target endpoints: The attack targets React Server Function endpoints.
Critical nuance: Even if an application does not strictly implement or use React Server Functions, it remains vulnerable if the application supports React Server Components generally.
Reliability: Testing has shown the exploit has near-100% reliability.
Default configuration: The vulnerability is present in default configurations. For example, a standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.
Specific Affected Components
While generally described as affecting React and Next.js, the vulnerability technically exists within specific underlying packages that handle server-side rendering and module loading.
Affected Packages
The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of the following packages:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Affected Framework Implementations
Any framework bundling these packages is affected:
Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0-canary.77
Other ecosystems: React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin are all affected if they use the vulnerable React packages
Scope of Post-Exploitation Activity
Unit 42 has observed interactive sessions related to the exploitation of CVE-2025-55182, including:
Scanning for servers vulnerable to RCE
Reconnaissance
Attempted theft of cloud credential configuration and credential files
Installation of downloaders to retrieve payloads from attacker command and control (C2) infrastructure
Attempting to install Cobalt Strike
Malicious dropper scripts
Cryptomining software
Interactive web shells masquerading as a React File Manager
Executing EtherRAT
Executing and installing Noodle RAT
IAB activity
Executing SNOWLIGHT and VShell findings
Scanning
We are observing automated scanning for the RCE vulnerability:
Attacker reconnaissance has been observed in the form of passing Base64-encoded commands for gathering immediate situational awareness after compromising a system. Attackers rapidly fingerprint the operating system and architecture (uname), verify their current privilege level (id) and map network interfaces (hostname).
The sequence concludes by enumerating the file system for sensitive credentials and analyzing DNS configurations (resolv.conf) to identify cloud environments or internal targets for lateral movement.
The format for running reconnaissance commands is:
The decoded Base64 command runs the following reconnaissance commands:
Commodity Malware Installation Activity
Unit 42 has observed multiple clusters of activity related to the deployment of cryptomining software, as well as other commodity malware loaders.
In one instance, attackers passed a download-and-execute attack sequence using wget to retrieve a malicious script (named sex.sh) from an attacker-controlled C2 server. The attacker employed the && operator to create a conditional chain, ensuring that the malicious script is passed to the bash interpreter for immediate execution only after it has been successfully downloaded to disk.
In another, an automated script was used to ​​perform data theft, verification, and install multiple malware downloaders consistent with internet-of-things (IoT) activity such as a Mirai botnet.
The defanged commands are:
Figure 1 shows the attack flow of the XMRIG deployment as seen in Cortex XDR.
Figure 2 is an alert notification in Cortex XDR for XMRig activity.
In one observation, the attacker installed a dropper designed to infect Linux systems. The dropper uses a redundant logic block to ensure the payload is delivered. It first attempts to curl the binary with flags to silence output and follow redirects, and falls back to wget if the first tool is missing or fails.
Upon successful download to the /tmp directory, the script executes a chain of commands to make the file universally executable. It then immediately launches the payload, establishing the infection without user intervention.
The defanged command for this is:
Cloud and Container Exploit Attempts
Unit 42 also observed React2Shell exploit attempts across major cloud platforms. These targeted cloud instances hosted containers, including Kubernetes, running applications vulnerable to CVE-2025-55182 via integrated React components.
The operations involved command-line execution of wget, curl, chmod and other utilities either directly or though through the BusyBox binary, resulting in attackers attempting to install Mirai loaders and other payloads.
Although attackers made attempts to install these files, their malicious downloads were blocked, preventing execution.
Cobalt Strike
Unit 42 observed a threat actor leveraging a bash reverse shell to connect to a probable Cobalt Strike server:
Additionally, Unit 42 observed a remote execution of a bash script named check.sh from 154.89.152[.]240. As shown in Figure 3, the script is responsible for downloading another binary from the same address named a_x64, which was saved under the name rsyslo.
The payload appears to be a Cobalt Strike agent that was created using CrossC2, an extension tool to create Cobalt Strike Beacon for Linux OS. Figure 3 shows the process in Cortex XDR.
Figure 4 shows what the alert for Cobalt Strike activity looks like in Cortex XDR.
Web Shell Activity
We observed attackers installing an interactive web shell disguised as a React File Manager (fm.js) retrieved directly from GitHub. This web shell enables the browsing of directories to harvest sensitive configuration files, such as database passwords and API keys, while facilitating data exfiltration through a built-in download function to steal source code or customer data.
The tool supports persistent compromise by allowing the upload of additional backdoors or rootkits and grants the ability to inflict irreversible damage through bulk file deletion and direct system command execution.
The actor initiated the sequence by preemptively terminating existing node processes to eliminate port conflicts, followed by execution validation to confirm arbitrary code execution. The script stages a Node.js web shell payload in the /tmp directory. It employs heuristic network adaptation by iteratively modifying the configuration to cycle through various listening ports, attempting to circumvent local firewall policies.
The attack concludes by establishing ephemeral persistence via nohup and deploying unique verification artifacts (segawon.txt) to common web directories, enabling external validation of the compromise and mapping of the server’s file structure.
EtherRAT
Unit 42 has observed activity consistent with EtherRAT, which performs the following activities:
Leveraging Ethereum smart contacts for C2 resolution
Using multiple independent Linux persistence mechanisms
Downloading its own Node.js runtime from nodejs.org
DPRK threat actor UNC5342 is reportedly using EtherHiding to deliver malware and facilitate cryptocurrency theft.
Noodle RAT
Unit 42 observed the deployment of Noodle RAT, a backdoor confirmed to have both Windows and Linux versions and suspected to be used by Chinese-speaking groups engaged in either espionage or cybercrime.
Auto-Color
Unit 42 has observed multiple instances of a previously unseen Auto-color backdoor across multiple environments, malware we originally published about in February 2025. The filename associated with this backdoor, pamssod, masquerades as the legitimate Pluggable Authentication Module (PAM) library.
Auto-color was observed in the following times and locations:
Early 2025 targeting Asian and North American universities and government organizations
April 2025 on the network of a US-based chemicals company
August 2025 in exploitation of CVE‑2025‑31324
CL-STA-1015 Activity
Unit 42 observed post-exploitation threat activity we assess with high confidence is consistent with an activity cluster we track as CL-STA-1015. This threat actor was assessed with medium confidence to be a Chinese state-sponsored Initial Access Broker according to Google TAG.
Attackers executed a command to retrieve and immediately execute a malicious shell script payload labeled slt from a remote C2 server. Consistent with previously seen activity, attackers employed a fail-safe logic using the OR operator:
The system first attempts the download using curl with flags optimized for stealth (-fsSL to suppress output and follow redirects) and resilience (-m180 to prevent hanging).
If curl is unavailable or fails, it automatically falls back to wget with similar quiet and timeout parameters.
The command concludes by piping the downloaded content directly into sh, enabling fileless execution where the malicious script runs immediately in memory without necessarily writing a persistent file to the disk.
The defanged command for this is:
Following the above command, we observed the successful creation of two malicious files on the file system consistent with SNOWLIGHT and determined through analysis that the below VShell sample also resided on the same server:
SNOWLIGHT bash script: a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4
SNOWLIGHT: 2b0dc27f035ba1417990a21dafb361e083e4ed94a75a1c49dc45690ecf463de4
VShell 4745703f395282a0687def2c7dcf82ed1683f3128bef1686bd74c966273ce1c5
SNOWLIGHT is a stealthy malware dropper seen in CL-STA-1015 activity. Its primary function is to infiltrate a compromised Linux system then download and execute additional, more powerful malware. Most notably, it downloads the VShell RAT. VShell is popular among Chinese-speaking cybercriminals in several forums, and its main developer is also a Chinese speaker.
KSwapDoor
Upon further analysis, Unit 42 has discovered that what we previously identified as BPFDoor, is in fact a previously unseen Linux backdoor targeting servers that we are calling KSwapDoor. KSwapDoor implements a sophisticated P2P mesh network allowing multi-hop routing between infected nodes, uses AES-256-CFB encryption with Diffie-Hellman key exchange for C2 communications, and includes dormant passive packet sniffer code for potential firewall bypass. It provides full remote access capabilities including interactive shell, command execution, file operations, and lateral movement scanning.
Key Findings:
Stealth & Masquerade: Upon execution, the binary renames itself to [kswapd1], mimicking a legitimate Linux kernel swap daemon. It fully daemonizes by double-forking, creating a new session (setsid()), and redirecting all standard I/O to /dev/null.
Obfuscation: Almost all critical strings and configuration data are protected using RC4 encryption. The malware decrypts these strings at runtime using key scheduling functions (sub_410A41 and sub_410B8D).
Persistence & Configuration: It stores its configuration in an RC4-encrypted file within the user’s home directory. During initialization, it reads and decrypts this file to locate Command & Control targets.
Resilience: The malware creates a watchdog loop that spawns and monitors child processes, automatically restarting them if they crash. It also utilizes a staging directory at /tmp/appInsight.
Interim Guidance
Required actions: Immediate patching is the only definitive mitigation.
Engineering and security teams should upgrade to the following hardened versions immediately:
React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5
For the latest updates on this vulnerability, please see the documentation provided by the vendor:
CVE-2025-55182
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.
The following XQL query has been used to successfully identify post-compromise activity. During analysis, a low number of false positives were identified. We recommend reviewing the child processes spawned by the node process. Look for suspicious file operations, network operations, reconnaissance commands or code execution, such as the commands observed above.
Conclusion
The immediate and expansive exploitation of this vulnerability highlights the speed at which threat actors move to seize on opportunities. While we have noted China-nexus activity, the footprint of activity will encompass significant amounts of cybercriminal motivations as well.
Specifically of note, CL-STA-1015 (aka UNC5174) has a history of rapid exploitation of N-day vulnerabilities:
CVE-2024-1709
CVE-2023-46747
CVE-2023-22518
CVE-2022-0185
CVE-2022-30525
The critical distinction of this vulnerability is its nature as a deterministic logic flaw in the Flight protocol, rather than a probabilistic error. Unlike memory corruption bugs that may fail, this flaw guarantees execution, transforming it into a reliable system-wide bypass for attackers. Amplified by the massive footprint of Next.js in enterprise environments, this creates a direct conduit to sensitive internal data.
Ultimately, this incident underscores the inherent friction between performance and security in modern architecture. While React Server Components optimize data fetching and search engine optimization (SEO) by moving logic closer to the source, they simultaneously move the attack surface closer to organizations’ most sensitive and valuable data.
Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks Product Protections for CVE-2025-55182
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
South Korea: +82.080.467.8774
Next-Generation Firewalls With Advanced Threat Prevention
Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks via the following Threat Prevention signatures: 96779, 96780, and 96787.
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
Cortex XDR and XSIAM
Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
Cortex has released a response pack and playbook for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) to help automate and speed the mitigation process.
This playbook automates the following tasks:
Collecting indicators from the Unit 42 article
Detecting any suspicious command lines indicative of exploitation of these vulnerabilities via an XQL query
Investigating the command lines to identify malicious indicators related to the vulnerabilities
Hunting for malicious indicators via an XQL query
Isolating compromised React and Next.js servers (requires analyst approval)
Blocking malicious indicators
Providing mitigation recommendations
Cortex Xpanse
Cortex Xpanse is designed to identify exposed devices and applications on the public internet and escalate these findings to defenders. Customers can enable alerting on assets that are potentially at risk by ensuring that the Vercel Next.js Attack Surface Rule is enabled.
Additionally, Xpanse has published an Attack Surface test for CVE-2025-55182. This validates the vulnerability via an RCE direct check by attempting to execute a benign command payload compatible with both Linux and Windows systems.
Notably, these React and Next.js applications do not publicly expose software version details, meaning these detections are not a strong indicator of a vulnerable application. These detections are also available for Cortex XSIAM customers who have purchased the ASM module.
Cortex Cloud
Cortex Cloud provides comprehensive ASPM capabilities to rapidly identify the reach of CVE-2025-55182 and CVE-2025-66478 across your application landscape. Through real-time SBOM visibility, security teams can instantly query their software inventory to pinpoint specific instances of vulnerable React (versions 19.0–19.2) and Next.js (versions 15.x–16.x) packages. The platform’s Operational Risk model further aids in prioritization by evaluating component health and flagged risks. Crucially, teams can enforce prevention-first guardrails to automatically block builds that contain these critical vulnerabilities. This ensures that no application relying on the unsanctioned or unpatched Flight protocol implementation can ever be deployed, effectively stopping the RCE vector from entering your environment.
Prisma Cloud
Prisma Cloud detects the presence of these critical vulnerabilities within your codebase, registries, and runtime environments. The platform’s vulnerability scanner specifically identifies the use of the affected react-server and next packages associated with CVE-2025-55182 and CVE-2025-66478. Beyond detection, you can configure enforcement rules to actively block builds and deployments if these high-severity findings are detected. By surfacing these risks and enforcing a fail-threshold for critical CVEs, Prisma Cloud enables teams to prevent the release of applications running susceptible versions, ensuring that only the hardened, patched frameworks reach production.
Indicators of Compromise
140[.]99[.]223[.]178
156[.]234[.]209[.]103
38[.]162[.]112[.]141
45[.]32[.]158[.]54
46[.]36[.]37[.]85
47[.]84[.]79[.]46
95[.]169[.]180[.]135
45.134.174[.]235/2.sh
45.134.174[.]235/solra
hxxp://46[.]36[.]37[.]85:12000/sex[.]sh
hxxp://115[.]42[.]60[.]223:61236/slt
hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
hxxp://115[.]42[.]60[.]223:61236/slt
hxxp://156[.]234[.]209[.]103:20912/get[.]sh
hxxp://156[.]234[.]209[.]103:20913/get[.]sh
hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64
hxxp://46[.]36[.]37[.]85:12000/sex[.]sh
hxxp://95[.]169[.]180[.]135:8443/pamssod
hxxp://res[.]qiqigece[.]top/nginx1
hxxps://raw[.]githubusercontent[.]com/C3Pool/xmrig_setup/master/setup_c3pool_miner[.]sh
hxxps://sup001[.]oss-cn-hongkong[.]aliyuncs[.]com/123/python1[.]sh
reactcdn[.]windowserrorapis[.]com
res[.]qiqigece[.]top
ebdb85704b2e7ced3673b12c6f3687bc0177a7b1b3caef110213cc93a75da837
f88ce150345787dd1bcfbc301350033404e32273c9a140f22da80810e3a3f6ea
fc9e53675e315edeea2292069c3fbc91337c972c936ca0f535da01760814b125
BPFDoor
140.99.223[.]178/32736
1f3f0695c7ec63723b2b8e9d50b1838df304821fcb22c7902db1f8248a812035
EtherRAT
hxxp://193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh
Noodle RAT
192.238.202[.]17
tcp://vip[.]kof97.lol:443
hxxp://146.88.129[.]138:5511/443nb64
33641bfbbdd5a9cd2320c61f65fe446a2226d8a48e3bd3c29e8f916f0592575f
SNOWLIGHT
115[.]42[.]60[.]223
a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4
1663d98c259001f1b03f82d0c5bee7cfd3c7623ccb83759c994f9ab845939665
18c68a982f91f665effe769f663c51cb0567ea2bfc7fab6a1a40d4fe50fc382b
1a3e7b4ee2b2858dbac2d73dd1c52b1ea1d69c6ebb24cc434d1e15e43325b74e
1cdd9b0434eb5b06173c7516f99a832dc4614ac10dda171c8eed3272a5e63d20
1e31dc074a4ea7f400cb969ea80e8855b5e7486660aab415da17591bc284ac5b
2b0dc27f035ba1417990a21dafb361e083e4ed94a75a1c49dc45690ecf463de4
2ca913556efd6c45109fd8358edb18d22a10fb6a36c1ab7b2df7594cd5b0adbc
4ff096fbea443778fec6f960bf2b9c84da121e6d63e189aebaaa6397d9aac948
55ae00bc8482afd085fd128965b108cca4adb5a3a8a0ee2957d76f33edd5a864
62e9a01307bcf85cdaeecafd6efb5be72a622c43a10f06d6d6d3b566b072228d
7d25a97be42b357adcc6d7f56ab01111378a3190134aa788b1f04336eb924b53
7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a
9c931f7f7d511108263b0a75f7b9fcbbf9fd67ebcc7cd2e5dcd1266b75053624
ac2182dfbf56d58b4d63cde3ad6e7a52fed54e52959e4c82d6fc999f20f8d693
ac7027f30514d0c00d9e8b379b5ad8150c9827c827dc7ee54d906fc2585b6bf6
b38ec4c803a2d84277d9c598bfa5434fb8561ddad0ec38da6f9b8ece8104d787
bc31561c44a36e1305692d0af673bc5406f4a5bb2c3f2ffdb613c09b4e80fa9f
bf602b11d99e815e26c88a3a47eb63997d43db8b8c60db06d6fbddf386fd8c4a
d704541cde64a3eef5c4f80d0d7f96dc96bae8083804c930111024b274557b16
d9313f949af339ed9fafb12374600e66b870961eeb9b2b0d4a3172fd1aa34ed0
e2d7c8491436411474cef5d3b51116ddecfee68bab1e15081752a54772559879
VShell
4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b
Additional Resources
UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell – Blog, Sysdig
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect – Google Cloud Blog
UNC5174 Functions as an Initial Access Broker, Exploiting Vulnerabilities – Hive Pro Vulnerability Report
Updated Dec. 8th, 2025, at 3:45 p.m. PT to add significant updates. These include a Post-Exploitation Activity section and product coverage. New activity covers: scanning and reconnaissance, cloud credential theft, malicious dropper scripts, cryptomining, deployment of backdoor Noodle RAT, execution of SNOWLIGHT and VShell and Chinese-linked activity.
Updated Dec. 9th, 2025, at 2:00 p.m. PT to add significant updates. These include additional details in the Post-Exploitation Activity section. New subsections include information on: Activity that shares overlaps with DPRK tooling using EtherRAT; BPFDoor, a Linux backdoor; and a new Auto-color variant (a Linux backdoor). Updated the Indicators of Compromise section. Added a new Threat Prevention signature.
Updated Dec. 10th, 2025, at 1:30 p.m. PT to add subsection on React2Shell exploit attempts in the Post-Exploitation Activity section. Added Cortex XDR playbook coverage and information.
​​Updated Dec. 11th, 2025, at 1:30 p.m. PT to add script to subsection on React2Shell exploit attempts in the Post-Exploitation Activity section. Amended Cortex Xpanse language.
​​Updated Dec. 12th, 2025, at 1:40 p.m. PT to change language surrounding CL-STA-1015 attribution, and update BPFDoor name to KSwapDoor with additional details.