Dec 05, 2025Ravie LakshmananVulnerability / Software program Safety
Two hacking teams with ties to China have been noticed weaponizing the newly disclosed safety flaw in React Server Parts (RSC) inside hours of it turning into public information.
The vulnerability in query is CVE-2025-55182 (CVSS rating: 10.0), aka React2Shell, which permits unauthenticated distant code execution. It has been addressed in React variations 19.0.1, 19.1.2, and 19.2.1.
In line with a brand new report shared by Amazon Net Companies (AWS), two China-linked menace actors often called Earth Lamia and Jackpot Panda have been noticed making an attempt to take advantage of the maximum-severity safety flaw.
“Our evaluation of exploitation makes an attempt in AWS MadPot honeypot infrastructure has recognized exploitation exercise from IP addresses and infrastructure traditionally linked to recognized China state-nexus menace actors,” CJ Moses, CISO of Amazon Built-in Safety, mentioned in a report shared with The Hacker Information.
Particularly, the tech large mentioned it recognized infrastructure related to Earth Lamia, a China-nexus group that was attributed to assaults exploiting a crucial SAP NetWeaver flaw (CVE-2025-31324) earlier this 12 months.
The hacking crew has focused sectors throughout monetary providers, logistics, retail, IT firms, universities, and authorities organizations throughout Latin America, the Center East, and Southeast Asia.
The assault efforts have additionally originated from infrastructure associated to a different China-nexus cyber menace actor often called Jackpot Panda, which has primarily singled out entities which are both engaged in or assist on-line playing operations in East and Southeast Asia.
Jackpot Panda, per CrowdStrike, is assessed to be energetic since not less than 2020, and has focused trusted third-party relationships in an try and deploy malicious implants and achieve preliminary entry. Notably, the menace actor was related to the provision chain compromise of a chat app often called Comm100 in September 2022. The exercise is tracked by ESET as Operation ChattyGoblin.
It has since emerged {that a} Chinese language hacking contractor, I-Quickly, might have been concerned within the provide chain assault, citing infrastructure overlaps. Curiously, assaults mounted by the group in 2023 have primarily centered on Chinese language-speaking victims, indicating doable home surveillance.
“Starting in Could 2023, the adversary used a trojanized installer for CloudChat, a China-based chat utility common with unlawful, Chinese language-speaking playing communities in Mainland China,” CrowdStrike mentioned in its World Risk Report launched final 12 months.
“The trojanized installer served from CloudChat’s web site contained the primary stage of a multi-step course of that in the end deployed XShade – a novel implant with code that overlaps with Jackpot Panda’s distinctive CplRAT implant.”
Amazon mentioned it additionally detected menace actors exploiting 2025-55182 together with different N-day flaws, together with a vulnerability in NUUO Digital camera (CVE-2025-1338, CVSS rating: 7.3), suggesting broader makes an attempt to scan the web for unpatched programs.
The noticed exercise entails makes an attempt to run discovery instructions (e.g., whoami), write information (“/tmp/pwned.txt”), and skim information containing delicate info (e.g., “/and so forth/passwd”).
“This demonstrates a scientific method: menace actors monitor for brand spanking new vulnerability disclosures, quickly combine public exploits into their scanning infrastructure, and conduct broad campaigns throughout a number of Widespread Vulnerabilities and Exposures (CVEs) concurrently to maximise their probabilities of discovering susceptible targets,” Moses mentioned.
