Exploits CVEs in the wild

china_nexus_cyber_threat_groups

Also known asChina-nexus cyber threat groups

China-nexus cyber threat groups are state-sponsored actors linked to the Chinese government, known for rapidly exploiting high-impact vulnerabilities in widely used software. Recent activity includes the active exploitation of the React2Shell (CVE-2025-55182) unauthenticated RCE vulnerability in React Server Components and Next.js, as observed by AWS Security. These groups leverage advanced tactics such as remote code execution, backdoor installation, credential theft, and lateral movement, often targeting cloud environments and production web servers. Their operations are characterized by swift exploitation of zero-days and a focus on large-scale, high-value targets. Notably, the Warp Panda/UNC5221 group, previously associated with Ivanti zero-day exploits, has also been linked to advanced campaigns such as the BrickStorm malware in VMware environments. China-nexus groups are considered highly sophisticated, with a history of targeting organizations globally for espionage and strategic advantage.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-55182React2ShellIn the wildEvidence1

A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments. This vulnerability originates in the upstream React implementation (CVE-2025-55182).

CVE-2025-66478Rejected duplicate tracking ID for React2Shell downstream impact in Next.jsIn the wildEvidence1

This vulnerability originates in the upstream React implementation (CVE-2025-55182). This advisory (CVE-2025-66478) tracks the downstream impact on Next.js applications using the App Router.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

fortinet threat signalNews

Dec 5, 2025

React2Shell Remote Code Execution (RCE) Vulnerability

These China-nexus cyber threat groups are rapidly exploiting the React2Shell (CVE-2025-55182) vulnerability to achieve unauthenticated remote code execution on servers running vulnerable versions of React Server Components and frameworks like Next.js. Their activity includes full server takeover, installation of backdoors, credential harvesting, and lateral movement.

vulnuNews

Dec 5, 2025

🎓️ Vulnerable U | #145

China-nexus cyber threat groups are rapidly exploiting the React2Shell vulnerability in React and Next.js to achieve remote code execution in cloud environments.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.