Two hacking teams with ties to China have been noticed weaponizing the newly disclosed security flaw in React Server Parts (RSC) inside hours of it turning into public data.
The vulnerability in query is CVE-2025-55182 (CVSS rating: 10.0), aka React2Shell, which permits unauthenticated distant code execution. It has been addressed in React variations 19.0.1, 19.1.2, and 19.2.1.
Based on a brand new report shared by Amazon Net Providers (AWS), two China-linked risk actors generally known as Earth Lamia and Jackpot Panda have been noticed trying to use the maximum-severity security flaw.
“Our evaluation of exploitation makes an attempt in AWS MadPot honeypot infrastructure has recognized exploitation exercise from IP addresses and infrastructure traditionally linked to identified China state-nexus risk actors,” CJ Moses, CISO of Amazon Built-in Safety, mentioned in a report shared with The Hacker Information.
Particularly, the tech big mentioned it recognized infrastructure related to Earth Lamia, a China-nexus group that was attributed to assaults exploiting a important SAP NetWeaver flaw (CVE-2025-31324) earlier this 12 months.
The hacking crew has focused sectors throughout monetary providers, logistics, retail, IT corporations, universities, and authorities organizations throughout Latin America, the Center East, and Southeast Asia.
The assault efforts have additionally originated from infrastructure associated to a different China-nexus cyber risk actor generally known as Jackpot Panda, which has primarily singled out entities which are both engaged in or assist on-line playing operations in East and Southeast Asia.
Jackpot Panda, per CrowdStrike, is assessed to be energetic since a minimum of 2020, and has focused trusted third-party relationships in an try and deploy malicious implants and acquire preliminary entry. Notably, the risk actor was linked to the availability chain compromise of a chat app generally known as Comm100 in September 2022. The exercise is tracked by ESET as Operation ChattyGoblin.
It has since emerged {that a} Chinese language hacking contractor, I-Quickly, could have been concerned within the provide chain assault, citing infrastructure overlaps. Curiously, assaults mounted by the group in 2023 have primarily centered on Chinese language-speaking victims, indicating doable home surveillance.
“Starting in Might 2023, the adversary used a trojanized installer for CloudChat, a China-based chat software well-liked with unlawful, Chinese language-speaking playing communities in Mainland China,” CrowdStrike mentioned in its World Risk Report launched final 12 months.
“The trojanized installer served from CloudChat’s web site contained the primary stage of a multi-step course of that in the end deployed XShade – a novel implant with code that overlaps with Jackpot Panda’s distinctive CplRAT implant.”
Amazon mentioned it additionally detected risk actors exploiting 2025-55182 together with different N-day flaws, together with a vulnerability in NUUO Digital camera (CVE-2025-1338, CVSS rating: 7.3), suggesting broader makes an attempt to scan the web for unpatched techniques.
The noticed exercise includes makes an attempt to run discovery instructions (e.g., whoami), write information (“/tmp/pwned.txt”), and skim information containing delicate data (e.g., “/and so forth/passwd”).
“This demonstrates a scientific strategy: risk actors monitor for brand new vulnerability disclosures, quickly combine public exploits into their scanning infrastructure, and conduct broad campaigns throughout a number of Frequent Vulnerabilities and Exposures (CVEs) concurrently to maximise their possibilities of discovering weak targets,” Moses mentioned.
