Skip to main content
Mallory
Back to threat actors
3 malware familiesExploits CVEs in the wild

china_nexus_threat_actors

Also known aschina_nexus_threat_actorchina_nexus_threat_actors

China-nexus (including Beijing-linked) threat actors observed in 2025 activity tied to (1) active exploitation of the React2Shell vulnerability (CVE-2025-55182) in React Server Components and (2) misuse of Google’s Gemini LLM in support of cyber operations. In React2Shell campaigns, early exploitation was linked to China- and Iran-nexus actors, with Beijing-linked hackers reported by AWS and Google as actively exploiting the flaw. The exploitation is used for arbitrary code execution and follow-on payload delivery, including malware and, in some cases, ransomware; attackers have been observed blending malicious actions into legitimate-looking application traffic and chaining the vulnerability with other weaknesses and misconfigurations. Separately, Google Threat Intelligence Group reported a China-nexus actor bypassing Gemini safeguards by posing as a cybersecurity student in a CTF competition, and noted state-backed actors from China leveraging Gemini for reconnaissance, phishing, and tooling development. No specific group name, sub-group, or additional aliases are provided in the source content beyond the generic China-nexus/Beijing-linked characterization.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics27 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1190×2
Exploit Public-Facing Application
T1195×2
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
T1566
Phishing
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0003
Persistence
1 technique
T1547
Boot or Logon Autostart Execution
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
TA0005
Stealth
2 techniques
T1027
Obfuscated Files or Information
T1574
Hijack Execution Flow
T1574.001
DLL
TA0006
Credential Access
3 techniques
T1040×2
Network Sniffing
T1056
Input Capture
T1056.003
Web Portal Capture
T1557
Adversary-in-the-Middle
TA0007
Discovery
1 technique
T1040×2
Network Sniffing
TA0009
Collection
2 techniques
T1056
Input Capture
T1056.003
Web Portal Capture
T1557
Adversary-in-the-Middle
TA0011
Command and Control
3 techniques
T1090
Proxy
T1090.002
External Proxy
T1105×2
Ingress Tool Transfer
T1572
Protocol Tunneling
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
TA0040
Impact
1 technique
T1565
Data Manipulation
T1565.001×3
Stored Data Manipulation
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DKnife"China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery" ... "dubbed DKnife" ... "comprises seven Linux-based implants" designed to "perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices."4Mar 8, 2026
DarkNimbusSince 2023, Cisco Talos has tracked the MOONSHINE exploit kit and the DarkNimbus backdoor used to deliver mobile exploits.2Mar 8, 2026
ShadowPadDKnife... serves as a delivery mechanism for two notorious backdoors: ShadowPad and DarkNimbus.2Mar 8, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2024-12356Unauthenticated RCE in BeyondTrust PRA and RSIn the wildEvidence1

Unlike the Remote Support zero-day (CVE-2024-12356) that was flagged after having been exploited by China-nexus threat actors to breach the US Treasury Department in late 2024...

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
register securityNews
Dec 18, 2025
React2Shell exploitation spreads as Microsoft counts hundreds of hacked machines

Engaged in large-scale exploitation of the React2Shell (CVE-2025-55182) vulnerability to gain initial access to servers, deploy malware, cryptominers, and potentially ransomware.

Read more
security online infoNews
Nov 6, 2025
Next-Gen Threat: Google Exposes AI-Enabled Malware That Rewrites Its Own Code with Gemini LLM

A China-nexus threat actor is using social engineering to bypass AI safeguards, leveraging Gemini to refine exploitation scripts, phishing kits, and web shells.

Read more
the hacker newsNews
Jul 22, 2025
Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access

Early exploitation of critical Microsoft SharePoint vulnerabilities (CVE-2025-53770, CVE-2025-49706, and related) targeting government, telecom, technology, and critical infrastructure sectors in North America and Western Europe, primarily for credential and cryptographic key theft to enable persistent access and potential lateral movement.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping16

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.