216.73.217.22

Analyzing React2Shell Threat Actors

· Published 17/01/2026 13:17 · Modified 19/01/2026 09:29

Export JSON

Essential information

Published
17/01/2026 13:17
Modified
19/01/2026 09:29
Tags
2026-01-17 CVE-2017-9841 CVE-2019-9082 CVE-2023-1389 CVE-2024-4577 CVE-2025-55182 botnet exploitation payloads rce react server components react2shell reactonmynuts rondodox vulnerability
Related entities
10 vulnerabilities (cve), 9 observables, 16 techniques (mitre), 2 malware, 11 others

Description

This report analyzes the of , known as , a critical in . It examines various attack , including credential harvesters, reverse shells, and loaders. The analysis reveals rapid weaponization of the , with attackers employing sophisticated techniques like fileless downloaders, raw TCP stagers, and creative use of framework errors. The report also highlights the top 10 exploited CVEs for December, with quickly rising to the second most targeted . Key indicators of compromise and recommended mitigation strategies are provided to help organizations defend against these threats.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (10)

CVE-2025-31324 KEV
10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector
Network
Published
29/04/2025
Modified
21/12/2025
Received
CVE-2022-42475 KEV
9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector
Network
Published
13/12/2022
Modified
20/12/2025
CVE-2017-9841 KEV
9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector
NETWORK
Complexity
LOW
Published
27/06/2017
Modified
22/04/2026
CVE-2019-9082 KEV

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published
03/11/2021
Modified
21/12/2025
CVE-2024-4577 KEV
9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector
Network
Published
12/06/2024
Modified
21/12/2025
Received
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2023-1389 KEV
8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector
Adjacent
Published
01/05/2023
Modified
21/12/2025
CVE-2022-22947 KEV

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Published
16/05/2022
Modified
20/12/2025
CVE-2022-24847
7.2 High

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …

Attack vector
NETWORK
Published
14/04/2022
Modified
21/12/2025
CVE-2022-47945
9.8 Critical

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …

Attack vector
NETWORK
Published
23/12/2022
Modified
19/01/2026

Observables (9)

  • 94.154.35.154
  • 89.144.31.18
  • 45.125.66.90
  • http://mewo.oceanic-node.su:3443
  • http://41.231.37.153/rondo.aqu.sh||curl
  • http://41.231.37.153/rondo.aqu.sh
  • http://41.231.37.153/rondo.xxx.sh
  • http://193.34.213.150/nuts/x86http://89.144.31.18/nuts/x86
  • http://41.231.37.153/rondo.aqu.sh||busybox

Techniques (MITRE) (16)

  • T1573
    Encrypted Channel
  • T1090
    Proxy
  • T1132
    Data Encoding
  • T1016
    System Network Configuration Discovery
  • T1005
    Data from Local System
  • T1190
    Exploit Public-Facing Application
  • T1105
    Ingress Tool Transfer
  • T1095
    Non-Application Layer Protocol
  • T1219
    Remote Access Tools
  • T1059
    Command and Scripting Interpreter
  • T1071
    Application Layer Protocol
  • T1083
    File and Directory Discovery
  • T1020
    Automated Exfiltration
  • T1074
    Data Staged
  • T1082
    System Information Discovery
  • T1041
    Exfiltration Over C2 Channel

Malware (2)

  • RondoDox
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • ReactOnMynuts
    Family
    Published 17/01/2026 13:17 · Modified 17/01/2026 13:17

Others (11)

  • Poland
  • Israel
  • Australia
  • United Kingdom of Great Britain and Northern Ireland
  • Germany
  • Canada
  • Singapore
  • Romania
  • United States of America
  • mewo.oceanic-node.su
  • atomicmail.io

External references