Google’s threat intelligence team has identified five more Chinese cyber-espionage groups joining the ongoing attacks exploiting the critical “React2Shell” remote code execution vulnerability, tracked as CVE-2025-55182. This flaw, which affects the React open-source JavaScript library, allows unauthenticated attackers to execute arbitrary code on React and Next.js applications with a single HTTP request.
The list of state-linked threat actors now includes UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595, which have been deploying a variety of malware such as the MINOCAT tunneling software, the SNOWLIGHT downloader, the COMPOOD backdoor, and an updated version of the HISONIC backdoor. According to Google, the vulnerability has a significant number of exposed systems due to the widespread use of React Server Components in popular frameworks like Next.js.
In addition to the Chinese hacking groups, Google’s researchers have also observed Iranian threat actors and financially motivated attackers targeting the React2Shell vulnerability, with some deploying XMRig cryptocurrency mining software on unpatched systems. Internet watchdog groups have tracked over 116,000 vulnerable IP addresses, primarily located in the United States, highlighting the widespread impact of this critical flaw.