Sign up to save your podcasts
Or
Share Earth Lamia, Jackpot Panda, UNC5174 pounce on React2Shell zero-day in US cyberattack frenzy
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Earth Lamia, Jackpot Panda, UNC5174 pounce on React2Shell zero-day in US cyberattack frenzy
This is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, we’re going straight into the hot zone of the last 24 hours.
The headline today is one word: React2Shell. The maximum‑severity CVE-2025-55182 bug in React Server Components is now the zero-day of choice for multiple China‑nexus crews. UpGuard reports that CISA has slammed it into the Known Exploited Vulnerabilities catalog after confirmed active exploitation, and Amazon’s threat intel team says Chinese state-linked groups Earth Lamia, Jackpot Panda, and UNC5174 started hammering it within hours of disclosure. Trend Micro and Sysdig add that this isn’t just noisy cryptominers: campaigns dubbed “emerald” and “nuts” are dropping Cobalt Strike beacons, Sliver payloads, Secret‑Hunter, and other backdoors via this flaw.
Target sectors? Anything using React Server Components on the internet edge: US SaaS platforms, fintech APIs, university portals, healthcare web front ends, and cloud-native startups running Next.js on autopilot. Earth Lamia historically loves financial, logistics, and government targets; Jackpot Panda has gambling and online services in its sights; UNC5174 is believed to act as an initial‑access broker for China’s Ministry of State Security, often patching boxes after compromise to lock out competitors. That means persistence, not smash-and-grab.
New malware angle: Sysdig just flagged EtherRAT being pushed through React2Shell, upgrading from simple coin miners to full remote‑access tooling with data theft and lateral movement baked in. Trend Micro’s telemetry shows a spike in exploitation attempts in the last 24 hours, plus some scripts with Chinese-language comments and AI‑generated code bolting on broken hash checks. That combination screams fast, industrialized exploitation from well-resourced operators.
On the defensive side, CISA’s immediate guidance is blunt: treat every public-facing React Server Components deployment as suspect. Agencies and contractors are being told to patch or take exposed services offline, verify library versions against vendor advisories, hunt for odd systemd services masquerading as “Rsyslog AV Agent Service,” unexpected Nezha monitoring agents, and suspicious DLLs like healthcheck.dll sitting in public document folders. Private-sector shops are being urged to mirror the same actions, with special urgency for anyone touching US critical infrastructure, defense supply chains, or sensitive personal data.
CISA also just added fresh Microsoft Windows and WinRAR flaws to the KEV list, ordering federal agencies to patch by the end of the month. SecurityAffairs reports that the WinRAR bug allows code execution via crafted archives or webpages, and the Windows Cloud Files Mini Filter flaw can hand attackers SYSTEM privileges. While those aren’t China-specific, Check Point’s latest analysis of state-aligned operations makes it clear that PRC-linked groups routinely chain mass-exploited bugs like these with high-value zero-days such as React2Shell to build long-term “strategic access” inside US government and critical infrastructure networks.
Zooming out, Check Point warns that Chinese state-aligned actors are moving beyond one-off data theft and instead pre-positioning in US power, transport, and healthcare systems as latent options for future crises. The Washington Post, via analysis cited by Strider Technologies and echoed by The Washington Post and The Independent, has already raised alarms about Chinese-made solar inverters in US grids as potential access points; pair that hardware exposure with web-facing React2Shell compromises, and you have end-to-end paths from cloud apps to operational technology.
So, Ting’s rapid-fire playbook for you in the next 24 hours: patch every React Server Components stack; rotate secrets and tokens on anything exposed; comb logs for weird curl pulls, Nezha installs, and Cobalt Strike beacons; apply the new WinRAR and Windows patches prioritized by CISA; and map any Chinese-made components in your OT and energy stack for extra monitoring.
Thanks for tuning in, listeners, and don’t forget to subscribe for your next hit of China cyber reality. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, we’re going straight into the hot zone of the last 24 hours.
The headline today is one word: React2Shell. The maximum‑severity CVE-2025-55182 bug in React Server Components is now the zero-day of choice for multiple China‑nexus crews. UpGuard reports that CISA has slammed it into the Known Exploited Vulnerabilities catalog after confirmed active exploitation, and Amazon’s threat intel team says Chinese state-linked groups Earth Lamia, Jackpot Panda, and UNC5174 started hammering it within hours of disclosure. Trend Micro and Sysdig add that this isn’t just noisy cryptominers: campaigns dubbed “emerald” and “nuts” are dropping Cobalt Strike beacons, Sliver payloads, Secret‑Hunter, and other backdoors via this flaw.
Target sectors? Anything using React Server Components on the internet edge: US SaaS platforms, fintech APIs, university portals, healthcare web front ends, and cloud-native startups running Next.js on autopilot. Earth Lamia historically loves financial, logistics, and government targets; Jackpot Panda has gambling and online services in its sights; UNC5174 is believed to act as an initial‑access broker for China’s Ministry of State Security, often patching boxes after compromise to lock out competitors. That means persistence, not smash-and-grab.
New malware angle: Sysdig just flagged EtherRAT being pushed through React2Shell, upgrading from simple coin miners to full remote‑access tooling with data theft and lateral movement baked in. Trend Micro’s telemetry shows a spike in exploitation attempts in the last 24 hours, plus some scripts with Chinese-language comments and AI‑generated code bolting on broken hash checks. That combination screams fast, industrialized exploitation from well-resourced operators.
On the defensive side, CISA’s immediate guidance is blunt: treat every public-facing React Server Components deployment as suspect. Agencies and contractors are being told to patch or take exposed services offline, verify library versions against vendor advisories, hunt for odd systemd services masquerading as “Rsyslog AV Agent Service,” unexpected Nezha monitoring agents, and suspicious DLLs like healthcheck.dll sitting in public document folders. Private-sector shops are being urged to mirror the same actions, with special urgency for anyone touching US critical infrastructure, defense supply chains, or sensitive personal data.
CISA also just added fresh Microsoft Windows and WinRAR flaws to the KEV list, ordering federal agencies to patch by the end of the month. SecurityAffairs reports that the WinRAR bug allows code execution via crafted archives or webpages, and the Windows Cloud Files Mini Filter flaw can hand attackers SYSTEM privileges. While those aren’t China-specific, Check Point’s latest analysis of state-aligned operations makes it clear that PRC-linked groups routinely chain mass-exploited bugs like these with high-value zero-days such as React2Shell to build long-term “strategic access” inside US government and critical infrastructure networks.
Zooming out, Check Point warns that Chinese state-aligned actors are moving beyond one-off data theft and instead pre-positioning in US power, transport, and healthcare systems as latent options for future crises. The Washington Post, via analysis cited by Strider Technologies and echoed by The Washington Post and The Independent, has already raised alarms about Chinese-made solar inverters in US grids as potential access points; pair that hardware exposure with web-facing React2Shell compromises, and you have end-to-end paths from cloud apps to operational technology.
So, Ting’s rapid-fire playbook for you in the next 24 hours: patch every React Server Components stack; rotate secrets and tokens on anything exposed; comb logs for weird curl pulls, Nezha installs, and Cobalt Strike beacons; apply the new WinRAR and Windows patches prioritized by CISA; and map any Chinese-made components in your OT and energy stack for extra monitoring.
Thanks for tuning in, listeners, and don’t forget to subscribe for your next hit of China cyber reality. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
View all episodes
By Inception Point AiThis is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, we’re going straight into the hot zone of the last 24 hours.
The headline today is one word: React2Shell. The maximum‑severity CVE-2025-55182 bug in React Server Components is now the zero-day of choice for multiple China‑nexus crews. UpGuard reports that CISA has slammed it into the Known Exploited Vulnerabilities catalog after confirmed active exploitation, and Amazon’s threat intel team says Chinese state-linked groups Earth Lamia, Jackpot Panda, and UNC5174 started hammering it within hours of disclosure. Trend Micro and Sysdig add that this isn’t just noisy cryptominers: campaigns dubbed “emerald” and “nuts” are dropping Cobalt Strike beacons, Sliver payloads, Secret‑Hunter, and other backdoors via this flaw.
Target sectors? Anything using React Server Components on the internet edge: US SaaS platforms, fintech APIs, university portals, healthcare web front ends, and cloud-native startups running Next.js on autopilot. Earth Lamia historically loves financial, logistics, and government targets; Jackpot Panda has gambling and online services in its sights; UNC5174 is believed to act as an initial‑access broker for China’s Ministry of State Security, often patching boxes after compromise to lock out competitors. That means persistence, not smash-and-grab.
New malware angle: Sysdig just flagged EtherRAT being pushed through React2Shell, upgrading from simple coin miners to full remote‑access tooling with data theft and lateral movement baked in. Trend Micro’s telemetry shows a spike in exploitation attempts in the last 24 hours, plus some scripts with Chinese-language comments and AI‑generated code bolting on broken hash checks. That combination screams fast, industrialized exploitation from well-resourced operators.
On the defensive side, CISA’s immediate guidance is blunt: treat every public-facing React Server Components deployment as suspect. Agencies and contractors are being told to patch or take exposed services offline, verify library versions against vendor advisories, hunt for odd systemd services masquerading as “Rsyslog AV Agent Service,” unexpected Nezha monitoring agents, and suspicious DLLs like healthcheck.dll sitting in public document folders. Private-sector shops are being urged to mirror the same actions, with special urgency for anyone touching US critical infrastructure, defense supply chains, or sensitive personal data.
CISA also just added fresh Microsoft Windows and WinRAR flaws to the KEV list, ordering federal agencies to patch by the end of the month. SecurityAffairs reports that the WinRAR bug allows code execution via crafted archives or webpages, and the Windows Cloud Files Mini Filter flaw can hand attackers SYSTEM privileges. While those aren’t China-specific, Check Point’s latest analysis of state-aligned operations makes it clear that PRC-linked groups routinely chain mass-exploited bugs like these with high-value zero-days such as React2Shell to build long-term “strategic access” inside US government and critical infrastructure networks.
Zooming out, Check Point warns that Chinese state-aligned actors are moving beyond one-off data theft and instead pre-positioning in US power, transport, and healthcare systems as latent options for future crises. The Washington Post, via analysis cited by Strider Technologies and echoed by The Washington Post and The Independent, has already raised alarms about Chinese-made solar inverters in US grids as potential access points; pair that hardware exposure with web-facing React2Shell compromises, and you have end-to-end paths from cloud apps to operational technology.
So, Ting’s rapid-fire playbook for you in the next 24 hours: patch every React Server Components stack; rotate secrets and tokens on anything exposed; comb logs for weird curl pulls, Nezha installs, and Cobalt Strike beacons; apply the new WinRAR and Windows patches prioritized by CISA; and map any Chinese-made components in your OT and energy stack for extra monitoring.
Thanks for tuning in, listeners, and don’t forget to subscribe for your next hit of China cyber reality. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, we’re going straight into the hot zone of the last 24 hours.
The headline today is one word: React2Shell. The maximum‑severity CVE-2025-55182 bug in React Server Components is now the zero-day of choice for multiple China‑nexus crews. UpGuard reports that CISA has slammed it into the Known Exploited Vulnerabilities catalog after confirmed active exploitation, and Amazon’s threat intel team says Chinese state-linked groups Earth Lamia, Jackpot Panda, and UNC5174 started hammering it within hours of disclosure. Trend Micro and Sysdig add that this isn’t just noisy cryptominers: campaigns dubbed “emerald” and “nuts” are dropping Cobalt Strike beacons, Sliver payloads, Secret‑Hunter, and other backdoors via this flaw.
Target sectors? Anything using React Server Components on the internet edge: US SaaS platforms, fintech APIs, university portals, healthcare web front ends, and cloud-native startups running Next.js on autopilot. Earth Lamia historically loves financial, logistics, and government targets; Jackpot Panda has gambling and online services in its sights; UNC5174 is believed to act as an initial‑access broker for China’s Ministry of State Security, often patching boxes after compromise to lock out competitors. That means persistence, not smash-and-grab.
New malware angle: Sysdig just flagged EtherRAT being pushed through React2Shell, upgrading from simple coin miners to full remote‑access tooling with data theft and lateral movement baked in. Trend Micro’s telemetry shows a spike in exploitation attempts in the last 24 hours, plus some scripts with Chinese-language comments and AI‑generated code bolting on broken hash checks. That combination screams fast, industrialized exploitation from well-resourced operators.
On the defensive side, CISA’s immediate guidance is blunt: treat every public-facing React Server Components deployment as suspect. Agencies and contractors are being told to patch or take exposed services offline, verify library versions against vendor advisories, hunt for odd systemd services masquerading as “Rsyslog AV Agent Service,” unexpected Nezha monitoring agents, and suspicious DLLs like healthcheck.dll sitting in public document folders. Private-sector shops are being urged to mirror the same actions, with special urgency for anyone touching US critical infrastructure, defense supply chains, or sensitive personal data.
CISA also just added fresh Microsoft Windows and WinRAR flaws to the KEV list, ordering federal agencies to patch by the end of the month. SecurityAffairs reports that the WinRAR bug allows code execution via crafted archives or webpages, and the Windows Cloud Files Mini Filter flaw can hand attackers SYSTEM privileges. While those aren’t China-specific, Check Point’s latest analysis of state-aligned operations makes it clear that PRC-linked groups routinely chain mass-exploited bugs like these with high-value zero-days such as React2Shell to build long-term “strategic access” inside US government and critical infrastructure networks.
Zooming out, Check Point warns that Chinese state-aligned actors are moving beyond one-off data theft and instead pre-positioning in US power, transport, and healthcare systems as latent options for future crises. The Washington Post, via analysis cited by Strider Technologies and echoed by The Washington Post and The Independent, has already raised alarms about Chinese-made solar inverters in US grids as potential access points; pair that hardware exposure with web-facing React2Shell compromises, and you have end-to-end paths from cloud apps to operational technology.
So, Ting’s rapid-fire playbook for you in the next 24 hours: patch every React Server Components stack; rotate secrets and tokens on anything exposed; comb logs for weird curl pulls, Nezha installs, and Cobalt Strike beacons; apply the new WinRAR and Windows patches prioritized by CISA; and map any Chinese-made components in your OT and energy stack for extra monitoring.
Thanks for tuning in, listeners, and don’t forget to subscribe for your next hit of China cyber reality. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI