Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise
Essential information
- Published
- 13/02/2026 09:23
- Modified
- 13/02/2026 12:24
- Tags
- 2026-02-13 CVE-2025-55182 coin miners crossc2 react2shell website defacement
- Related entities
- 1 vulnerabilities (cve), 13 observables, 11 techniques (mitre), 5 malware, 1 others
Description
A critical vulnerability in React Server Components, dubbed React2Shell, was disclosed on December 3, 2025. Within days, multiple threat actors exploited this flaw, leading to simultaneous compromises of affected systems. The case study reveals a rapid progression from initial coin miner installations to the deployment of various malware types, including RATs and backdoors. The timeline shows attacks beginning on December 5, with website defacement occurring by December 7. Notably, the incident involved the use of SNOWLIGHT, HISONIC backdoor, CrossC2 RAT, and the abuse of Global Socket tool. The study emphasizes the speed at which attackers exploit new vulnerabilities and the importance of swift patching and thorough post-compromise investigations.