Sign up to save your podcasts
Or
Share Earth Lamia, Jackpot Panda, UNC5174 pounce on React2Shell zero-day in US cyberattack frenzy
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Earth Lamia, Jackpot Panda, UNC5174 pounce on React2Shell zero-day in US cyberattack frenzy
This is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, we’re going straight into the hot zone of the last 24 hours.
The headline today is one word: React2Shell. The maximum‑severity CVE-2025-55182 bug in React Server Components is now the zero-day of choice for multiple China‑nexus crews. UpGuard reports that CISA has slammed it into the Known Exploited Vulnerabilities catalog after confirmed active exploitation, and Amazon’s threat intel team says Chinese state-linked groups Earth Lamia, Jackpot Panda, and UNC5174 started hammering it within hours of disclosure. Trend Micro and Sysdig add that this isn’t just noisy cryptominers: campaigns dubbed “emerald” and “nuts” are dropping Cobalt Strike beacons, Sliver payloads, Secret‑Hunter, and other backdoors via this flaw.
Target sectors? Anything using React Server Components on the internet edge: US SaaS platforms, fintech APIs, university portals, healthcare web front ends, and cloud-native startups running Next.js on autopilot. Earth Lamia historically loves financial, logistics, and government targets; Jackpot Panda has gambling and online services in its sights; UNC5174 is believed to act as an initial‑access broker for China’s Ministry of State Security, often patching boxes after compromise to lock out competitors. That means persistence, not smash-and-grab.
New malware angle: Sysdig just flagged EtherRAT being pushed through React2Shell, upgrading from simple coin miners to full remote‑access tooling with data theft and lateral movement baked in. Trend Micro’s telemetry shows a spike in exploitation attempts in the last 24 hours, plus some scripts with Chinese-language comments and AI‑generated code bolting on broken hash checks. That combination screams fast, industrialized exploitation from well-resourced operators.
On the defensive side, CISA’s immediate guidance is blunt: treat every public-facing React Server Components deployment as suspect. Agencies and contractors are being told to patch or take exposed services offline, verify library versions against vendor advisories, hunt for odd systemd services masquerading as “Rsyslog AV Agent Service,” unexpected Nezha monitoring agents, and suspicious DLLs like healthcheck.dll sitting in public document folders. Private-sector shops are being urged to mirror the same actions, with special urgency for anyone touching US critical infrastructure, defense supply chains, or sensitive personal data.
CISA also just added fresh Microsoft Windows and WinRAR flaws to the KEV list, ordering federal agencies to patch by the end of the month. SecurityAffairs reports that the WinRAR bug allows code execution via crafted archives or webpages, and the Windows Cloud Files Mini Filter flaw can hand attackers SYSTEM privileges. While those aren’t China-specific, Check Point’s latest analysis of state-aligned operations makes it clear that PRC-linked groups rout
This content was created in partnership and with the help of Artificial Intelligence AI.
View all episodes
By Inception Point AIThis is your China Hack Report: Daily US Tech Defense podcast.
Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, we’re going straight into the hot zone of the last 24 hours.
The headline today is one word: React2Shell. The maximum‑severity CVE-2025-55182 bug in React Server Components is now the zero-day of choice for multiple China‑nexus crews. UpGuard reports that CISA has slammed it into the Known Exploited Vulnerabilities catalog after confirmed active exploitation, and Amazon’s threat intel team says Chinese state-linked groups Earth Lamia, Jackpot Panda, and UNC5174 started hammering it within hours of disclosure. Trend Micro and Sysdig add that this isn’t just noisy cryptominers: campaigns dubbed “emerald” and “nuts” are dropping Cobalt Strike beacons, Sliver payloads, Secret‑Hunter, and other backdoors via this flaw.
Target sectors? Anything using React Server Components on the internet edge: US SaaS platforms, fintech APIs, university portals, healthcare web front ends, and cloud-native startups running Next.js on autopilot. Earth Lamia historically loves financial, logistics, and government targets; Jackpot Panda has gambling and online services in its sights; UNC5174 is believed to act as an initial‑access broker for China’s Ministry of State Security, often patching boxes after compromise to lock out competitors. That means persistence, not smash-and-grab.
New malware angle: Sysdig just flagged EtherRAT being pushed through React2Shell, upgrading from simple coin miners to full remote‑access tooling with data theft and lateral movement baked in. Trend Micro’s telemetry shows a spike in exploitation attempts in the last 24 hours, plus some scripts with Chinese-language comments and AI‑generated code bolting on broken hash checks. That combination screams fast, industrialized exploitation from well-resourced operators.
On the defensive side, CISA’s immediate guidance is blunt: treat every public-facing React Server Components deployment as suspect. Agencies and contractors are being told to patch or take exposed services offline, verify library versions against vendor advisories, hunt for odd systemd services masquerading as “Rsyslog AV Agent Service,” unexpected Nezha monitoring agents, and suspicious DLLs like healthcheck.dll sitting in public document folders. Private-sector shops are being urged to mirror the same actions, with special urgency for anyone touching US critical infrastructure, defense supply chains, or sensitive personal data.
CISA also just added fresh Microsoft Windows and WinRAR flaws to the KEV list, ordering federal agencies to patch by the end of the month. SecurityAffairs reports that the WinRAR bug allows code execution via crafted archives or webpages, and the Windows Cloud Files Mini Filter flaw can hand attackers SYSTEM privileges. While those aren’t China-specific, Check Point’s latest analysis of state-aligned operations makes it clear that PRC-linked groups rout
This content was created in partnership and with the help of Artificial Intelligence AI.