React2Shell (CVE-2025-55182) Incident Response Playbook

1.0 Threat Profile & Incident Overview

Understanding the strategic context of a cyber incident is paramount to mounting an effective defense. A technical vulnerability is merely a latent weakness; it is the threat actor's exploitation of that weakness that creates risk. This playbook begins by profiling the React2Shell vulnerability (CVE-2025-55182) and the specific threat actors observed leveraging it in the wild. This context informs the urgency, scope, and direction of the subsequent response procedures, linking a critical software flaw to observed adversary behaviors and objectives.

React2Shell (CVE-2025-55182) is a critical unauthenticated Remote Code Execution (RCE) vulnerability stemming from insecure deserialization in React Server Components. With a maximum severity CVSS score of 10.0, this flaw allows an attacker to execute arbitrary code on a server by sending a specially crafted HTTP request. The vulnerability affects React versions 19.x and Next.js versions 15.x and 16.x (when using the App Router), as well as Next.js canary builds 14.3.0 and later. Critically, applications are vulnerable even if they do not explicitly use server functions, so long as they support React Server Components in their default configuration.

Key Threat Actors

Intelligence from AWS and Palo Alto Networks Unit 42 indicates that within hours of public disclosure, multiple threat actors, primarily with a China-nexus, began actively exploiting this vulnerability. Observed actors include:

• Earth Lamia: Identified by AWS as a China-nexus cyber threat actor known for targeting organizations across Latin America, the Middle East, and Southeast Asia.

• Jackpot Panda: Identified by AWS as a China-nexus actor focused on entities in East and Southeast Asia, likely for domestic security and intelligence collection purposes.

• CL-STA-1015: An initial access broker (IAB) identified by Unit 42 with suspected ties to the People's Republic of China (PRC) Ministry of State Security (MSS). This group specializes in gaining initial access to networks and selling that access to other threat actors.

Attacker Objectives

Post-exploitation activity follows a clear, methodical pattern. Attackers begin with reconnaissance, using Base64-obfuscated commands to understand the environment. This is followed by attempts to harvest cloud credentials for lateral movement. To maintain access, they deploy webshells like fm.js for interactive control and establish persistent C2 via Cobalt Strike. The ultimate objectives diverge, with some actors deploying sophisticated backdoors like NOODLERAT for long-term espionage, while others deploy cryptomining software for immediate financial gain.

Understanding this threat landscape is the first step. The next is to actively hunt for the evidence these actors leave behind.

2.0 Threat Hunting & Detection Procedures

Threat hunting is a critical, proactive measure to uncover evidence of a compromise that may have evaded automated defenses. The following procedures are designed to guide security analysts in searching for specific indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with React2Shell exploitation across network, host, and process layers.

2.1 Network-Level Detection

• Initial Exploit Vector: Analyze web server logs, WAF logs, and network traffic captures for malicious HTTP POST requests. Key characteristics include:

• Presence of next-action or rsc-action-id headers.

• Request bodies containing the character pattern $@.

• Request bodies containing the JSON pattern "status":"resolved_model".

• Cobalt Strike C2 Communication: A threat actor was observed establishing a bash reverse shell to a probable Cobalt Strike server. Any outbound connection from a web server to the following IP address and port is a high-confidence indicator of compromise:

• 38.162.112[.]141 on port 8899

• NOODLERAT C2 Endpoints: The following endpoints have been associated with the deployment and operation of the NOODLERAT backdoor:

• hxxp://146.88.129[.]138:5511/443nb64

• tcp://vip[.]kof97.lol:443

2.2 Host-Level Detection: File System Artifacts

Attackers have been observed dropping multiple malicious scripts and artifacts onto compromised servers, often in temporary directories. Use the following find command to hunt for these artifacts in common attacker directories:

sudo find /tmp /var/tmp /dev /opt /usr/local -maxdepth 5 -type f \( -name 'sex.sh' -o -name 'fn32.sh' -o -name 'fm.js' -o -name 'slt' \) 2>/dev/null

The following table details key file-based indicators.

Filename

Description

sex.sh

A malicious shell script used as a dropper to download and execute secondary payloads, such as XMRig cryptominers.

fm.js

An interactive webshell disguised as a React file manager, enabling directory browsing, file exfiltration, and command execution.

slt

A malicious shell script payload, often executed in a "fileless" manner, associated with the CL-STA-1015 activity cluster.

fn32.sh

A shell script used during automated scanning and reconnaissance activities.

segawon.txt

A verification artifact created in web directories to confirm successful compromise and map the server's file structure.

Additionally, the CL-STA-1015 activity cluster is associated with the deployment of the SNOWLIGHT dropper and VShell RAT. Search for files matching the following hashes:

• SNOWLIGHT (bash script): a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4

• SNOWLIGHT (ELF binary): 4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b

• VShell: 4745703f395282a0687def2c7dcf82ed1683f3128bef1686bd74c966273ce1c5

2.3 Host-Level Detection: Process & Command-Line Analysis

Immediately following successful exploitation, attackers execute a series of reconnaissance commands to gather situational awareness. These are often executed using Base64 encoding to obfuscate their intent.

• Initial Reconnaissance Commands: The decoded commands typically include a sequence to fingerprint the system and its network environment:

• uname -a

• id

• hostname -I

• ls -la

• ls -la /

• ls -la ~

• cat /etc/hosts

• cat /etc/resolv.conf

• Execution Format: Look for the following command-line pattern used to decode and execute the reconnaissance payload:

• Payload Download and Execution: Monitor for command-line activity involving curl and wget to download and execute remote scripts.

• Dropper Script Execution:

• Fileless Execution (CL-STA-1015):

• Suspicious Child Processes: A primary indicator of compromise is the spawning of unexpected child processes by the legitimate node or node.exe application process. Security teams should investigate any instances where the Node.js process spawns shells or reconnaissance tools, including:

• sh

• bash

• curl

• wget

• uname

• id

• whoami

2.4 Host-Level Detection: Persistence Mechanisms

• NOODLERAT Backdoor: This is a sophisticated, stealthy backdoor confirmed to have both Windows and Linux versions. It is suspected to be used by Chinese-speaking groups and is designed for long-term persistence, surviving system reboots. Hunting for the Linux version should focus on the following:

• Abuse of the /etc/ld.so.preload file to load malicious shared objects.

• The presence of suspicious ELF binaries in non-standard executable paths like /tmp, /var/tmp, or /opt/.

• Long-running processes with generic system names (e.g., kworker, cron) that are executing from unusual directories.

• fm.js Webshell Persistence: Attackers have been observed using two primary techniques to ensure the fm.js webshell remains active:

• Using nohup node fm.js to run the webshell process in the background, detached from the user's session.

• Employing sed commands to iteratively change the listening port of the webshell (e.g., to 3000, 8080, 8888, 9000), likely to evade firewall rules or find an open port.

Successfully detecting indicators of compromise is the trigger to escalate from hunting to a formal incident response protocol.

3.0 Confirmed Compromise Response Protocol

Once any indicator of compromise detailed in this playbook is confirmed, security teams must immediately shift from threat hunting to a structured incident response process. The primary goals are to contain the threat, prevent lateral movement and further damage, and restore the integrity of the affected systems.

Phase 1: Containment

The first priority is to stop the bleeding.

1. Isolate the Host: Immediately remove the affected host from the network. This can be achieved by disabling the virtual network interface, applying a host-based firewall rule to block all traffic, or moving the host to a quarantined network segment. This action prevents the attacker from moving laterally within your environment.

2. Block Malicious IPs: At the network perimeter (e.g., edge firewall, cloud security group), implement rules to block all inbound and outbound traffic to known malicious IP addresses, with the highest priority on the identified Cobalt Strike C2 server: 38.162.112[.]141.

Phase 2: Eradication & Recovery

As detailed in the threat hunting section, the deployment of persistent backdoors like NOODLERAT—which can abuse system-level mechanisms like /etc/ld.so.preload and masquerade as legitimate processes to survive reboots—makes simple file deletion an unreliable remediation strategy. The only way to ensure complete eradication is a full server rebuild from a known-good, trusted image. Attempting to "clean" the infected host in place carries a high risk of leaving remnants of the compromise behind.

Following the server rebuild, the following actions are critical before redeploying the application to production:

• Rotate All Credentials: Rotate all credentials and secrets that were accessible from the compromised host. This includes API keys, database passwords, service account credentials, and any cloud IAM roles or access keys. Assume all secrets on the host were compromised.

• Patch the Vulnerability: Before the application is redeployed, it must be updated to a non-vulnerable version of React/Next.js to prevent immediate re-compromise.

This structured response ensures the immediate threat is neutralized and the underlying vulnerability is closed, setting the stage for ongoing monitoring and reference using the consolidated indicators in the appendix. Following recovery, a retrospective analysis should be conducted to improve logging, detection rules, and security posture based on the TTPs observed in this incident.

4.0 Appendix: Consolidated Indicators of Compromise (IOCs)

This appendix provides a consolidated, quick-reference list of all technical indicators detailed in this playbook for use by security operations and incident response teams.

Malicious IP Addresses

• 38.162.112[.]141 (Probable Cobalt Strike C2)

• 206[.]237.3.150 (Associated with Earth Lamia)

• 45[.]77.33.136 (Associated with Jackpot Panda)

• 183[.]6.80.214 (Unattributed threat cluster)

• 143[.]198.92.82 (Anonymization Network)

• 115[.]42[.]60[.]223

• 156[.]234[.]209[.]103

• 45[.]32[.]158[.]54

• 46[.]36[.]37[.]85

Malicious File Payloads

• sex.sh

• fm.js

• slt

• fn32.sh

Malicious File Hashes (SHA256)

• a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4 (SNOWLIGHT bash script)

• 4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b (SNOWLIGHT ELF binary)

• 4745703f395282a0687def2c7dcf82ed1683f3128bef1686bd74c966273ce1c5 (VShell)

Known Malicious URLs & Domains

• hxxp[:]//46.36.37[.]85:12000/sex.sh

• hxxp[:]//115.42.60[.]223:61236/slt

• hxxp[:]//146.88.129[.]138:5511/443nb64

• hxxp[:]//45.32.158[.]54/5e51aff54626ef7f/x86_64

• hxxp[:]//156.234.209[.]103:20912/get.sh

• hxxps[:]//raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh

• hxxps[:]//sup001.oss-cn-hongkong.aliyuncs[.]com/123/python1.sh

• http[:]//help.093214[.]xyz:9731/fn32.sh

• tcp://vip[.]kof97.lol:443

• http[:]//keep.camdvr[.]org:8000/d5.sh