Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise

This JPCERT/CC case study describes rapid, widespread exploitation of CVE-2025-55182 (React2Shell) beginning within days of disclosure: multiple threat actors used automated probes to compromise servers, deploy coin miners (xmrig), install backdoors (HISONIC), SNOWLIGHT downloader, and CrossC2, abuse Global Socket for remote access, and conduct website defacements; the report provides an attack timeline, malware hashes, C2 IPs, and recommends prompt patching and detection of compromises.