CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

First reported
Last updated
6 unique sources, 11 articles

Summary

Hide ▲

The BRICKSTORM malware, attributed to PRC state-sponsored actors, has been used for long-term espionage against U.S. organizations, particularly in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys after compromising an ADFS server, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests. Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. The exploit targeted three VMware vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The toolkit includes simplified Chinese strings, suggesting a Chinese-speaking developer. The exploit uses Host-Guest File System (HGFS) for information leaking and Virtual Machine Communication Interface (VMCI) for memory corruption. The toolkit involves multiple components, including 'exploit.exe' (MAESTRO), 'devcon.exe', and 'MyDriver.sys', which write three payloads into VMX's memory: Stage 1 shellcode, Stage 2 shellcode, and VSOCKpuppet. VSOCKpuppet is a 64-bit ELF backdoor that provides persistent remote access to the ESXi host. The threat actors use 'client.exe' (GetShell Plugin) to send commands to the compromised ESXi host. The GetShell Plugin supports file transfer and command execution features. The toolkit prioritizes stealth over persistence.

Timeline

  1. 09.01.2026 19:43 1 articles · 23h ago

    Chinese hackers exploit VMware ESXi zero-days to escape virtual machines

    Chinese-speaking threat actors leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. The exploit targeted three VMware vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The toolkit includes simplified Chinese strings, suggesting a Chinese-speaking developer. The exploit uses Host-Guest File System (HGFS) for information leaking and Virtual Machine Communication Interface (VMCI) for memory corruption. The toolkit involves multiple components, including 'exploit.exe' (MAESTRO), 'devcon.exe', and 'MyDriver.sys', which write three payloads into VMX's memory: Stage 1 shellcode, Stage 2 shellcode, and VSOCKpuppet. VSOCKpuppet is a 64-bit ELF backdoor that provides persistent remote access to the ESXi host. The threat actors use 'client.exe' (GetShell Plugin) to send commands to the compromised ESXi host. The GetShell Plugin supports file transfer and command execution features. The toolkit prioritizes stealth over persistence.

    Show sources
    Open in new tab
  2. 24.09.2025 17:00 11 articles · 3mo ago

    Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

    CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM malware, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys after compromising an ADFS server, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests. Chinese-speaking threat actors leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. The exploit targeted three VMware vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The toolkit includes simplified Chinese strings, suggesting a Chinese-speaking developer. The exploit uses Host-Guest File System (HGFS) for information leaking and Virtual Machine Communication Interface (VMCI) for memory corruption. The toolkit involves multiple components, including 'exploit.exe' (MAESTRO), 'devcon.exe', and 'MyDriver.sys', which write three payloads into VMX's memory: Stage 1 shellcode, Stage 2 shellcode, and VSOCKpuppet. VSOCKpuppet is a 64-bit ELF backdoor that provides persistent remote access to the ESXi host. The threat actors use 'client.exe' (GetShell Plugin) to send commands to the compromised ESXi host. The GetShell Plugin supports file transfer and command execution features. The toolkit prioritizes stealth over persistence.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-nexus threat actor UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe since at least 2022. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Critical React Server Components (RSC) Bugs Enable Unauthenticated Remote Code Execution

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC). The flaw is due to insecure deserialization in the Flight protocol used by React to communicate between a server and client. The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Downstream frameworks impacted include Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Amazon reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz reported seeing exploitation efforts targeting the flaw. Some attacks involved the deployment of cryptocurrency miners and the execution of "cheap math" PowerShell commands. Censys identified about 2.15 million instances of internet-facing services potentially affected by the vulnerability. Palo Alto Networks Unit 42 confirmed over 30 affected organizations across numerous sectors, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits for the vulnerability. Another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Earth Lamia has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations. Jackpot Panda primarily targets entities in East and Southeast Asia. The Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications. Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability, including exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK. The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3. Any internet-accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution. AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios. AWS noted that the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool. Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional. The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns. Finally, AWS noted that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks. The invalid PoCs can give developers a false sense of security when testing for React2Shell. The Shadowserver Foundation detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China. Huntress observed attackers targeting numerous organizations via CVE-2025-55182, with a focus on the construction and entertainment industries. The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor. Attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Huntress identified a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq. PeerBlight shares code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a "ksoftirqd" daemon process to evade detection. CowTunnel initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections. ZinFoq implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities. Huntress assessed that the threat actor is likely leveraging automated exploitation tooling, supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems. PeerBlight supports capabilities to establish communications with a hard-coded C2 server ("185.247.224[.]41:8443"), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. ZinFoq beacons out to its C2 server and is equipped to parse incoming instructions to run commands using "/bin/bash," enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection. ZinFoq takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services to conceal its presence. CISA has urged federal agencies to patch the React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The vulnerability has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families. Wiz observed a "rapid wave of opportunistic exploitation" of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services. Cloudflare reported that threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches. The observed activity targeted government (.gov) websites, academic research institutions, and critical-infrastructure operators. Early scanning and exploitation attempts originated from IP addresses previously associated with Asia-affiliated threat clusters. Kaspersky recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping cryptocurrency miners or botnet malware families like Mirai/Gafgyt variants and RondoDox. Security researcher Rakesh Krishnan discovered an open directory hosted on "154.61.77[.]105:8082" that includes a proof-of-concept (PoC) exploit script for CVE-2025–55182 along with two other files: "domains.txt," which contains a list of 35,423 domains, and "next_target.txt," which contains a list of 596 URLs, including companies like Dia Browser, Starbucks, Porsche, and Lululemon. The Shadowserver Foundation reported more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025, with over 88,900 instances located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600). Google's threat intelligence team linked five more Chinese hacking groups to attacks exploiting the React2Shell vulnerability. The list of state-linked threat groups exploiting the flaw now also includes UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595. GTIG researchers observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads where threat actors shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools. GTIG also spotted Iranian threat actors targeting the flaw and financially motivated attackers deploying XMRig cryptocurrency mining software on unpatched systems. Shadowserver Internet watchdog group is currently tracking over 116,000 IP addresses vulnerable to React2Shell attacks, with over 80,000 in the United States. GreyNoise has observed over 670 IP addresses attempting to exploit the React2Shell remote code execution flaw over the past 24 hours, primarily originating from the United States, India, France, Germany, the Netherlands, Singapore, Russia, Australia, the United Kingdom, and China. Threat actors are exploiting the React2Shell vulnerability to deliver malware families like KSwapDoor and ZnDoor. KSwapDoor is a professionally engineered remote access tool designed with stealth in mind, building an internal mesh network and using military-grade encryption. KSwapDoor impersonates a legitimate Linux kernel swap daemon to evade detection. ZnDoor is a remote access trojan that contacts threat actor-controlled infrastructure to receive and execute commands. ZnDoor supports commands such as shell, interactive_shell, explorer, explorer_cat, explorer_delete, explorer_upload, explorer_download, system, change_timefile, socket_quick_startstreams, start_in_port_forward, and stop_in_port. Google identified five China-nexus groups exploiting React2Shell to deliver various payloads, including MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL. Microsoft reported that threat actors have used the flaw to run arbitrary commands, set up reverse shells, drop RMM tools, and modify authorized_keys files. Payloads delivered in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. Threat actors used Cloudflare Tunnel endpoints to evade security defenses and conducted reconnaissance for lateral movement and credential theft. Credential harvesting targeted Azure Instance Metadata Service (IMDS) endpoints for Azure, AWS, GCP, and Tencent Cloud. Threat actors deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract various secrets. Beelzebub detailed a campaign exploiting Next.js flaws to extract credentials and sensitive data, including environment files, SSH keys, cloud credentials, and system files. The malware creates persistence, installs a SOCKS5 proxy, establishes a reverse shell, and installs a React scanner for further propagation. Operation PCPcat has breached an estimated 59,128 servers. The Shadowserver Foundation is tracking over 111,000 IP addresses vulnerable to React2Shell attacks, with over 77,800 instances in the U.S. GreyNoise observed 547 malicious IP addresses from the U.S., India, the U.K., Singapore, and the Netherlands partaking in exploitation efforts over the past 24 hours. The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks. In November, VulnCheck spotted new RondoDox variants that featured exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in the XWiki Platform. A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later. React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement the React Server Components (RSC) 'Flight' protocol, including Next.js. The flaw has been leveraged by several threat actors to breach multiple organizations. North Korean hackers exploited React2Shell to deploy a new malware family named EtherRAT. As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell. CloudSEK says that RondoDox has passed through three distinct operational phases this year: Reconnaissance and vulnerability testing from March to April 2025, Automated web app exploitation from April to June 2025, Large-scale IoT botnet deployment from July to today. Regarding React2Shell, the researchers report that RondoDox has focused its exploitation around the flaw significantly lately, launching over 40 exploit attempts within six days in December. During this operational phase, the botnet conducts hourly IoT exploitation waves targeting Linksys, Wavlink, and other consumer and enterprise routers to enroll new bots. After probing potentially vulnerable servers, CloudSEK says that RoundDox started to deploy payloads that included a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a variant of Mirai (/nuts/x86). The 'bolts' component removes competing botnet malware from the host, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds, the researchers say. CloudSEK provides a set of recommendations for companies to protect against this RondoDox activity, among them auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and monitoring for suspicious processes being executed.

Open in new tab

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

Curly COMrades Exploits Hyper-V to Hide Malware in Linux VMs

Curly COMrades, a threat actor supporting Russia's geopolitical interests, has been observed abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run outside the host operating system's visibility, bypassing endpoint security tools. The campaign, observed in July 2025, involved the deployment of CurlyShell and CurlyCat. The threat actors configured the virtual machine to use the Default Switch network adaptor in Hyper-V to ensure that the VM's traffic travels through the host's network stack using Hyper-V's internal NAT service, causing all malicious outbound communication to appear to originate from the legitimate host machine's IP address. The attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor, while disabling its graphical management interface, Hyper-V Manager. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX files corresponding to a pre-built Alpine Linux VM. Lastly, the threat actors used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and launch it with the name WSL, a deception tactic meant to give the impression that the Windows Subsystem for Linux was employed. The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation. The findings paint a picture of a threat actor that uses sophisticated methods to maintain long-term access in target networks, while leaving a minimal forensic footprint.

Open in new tab