opportunistic_and_criminal_threat_actors
Opportunistic and criminal threat actors have been observed exploiting CVE-2025-55182 (React2Shell), a critical unauthenticated remote code execution vulnerability in React Server Components and related frameworks such as Next.js, following its public disclosure on 2025-12-03. Reported activity includes widespread automated scanning and exploitation by non-state actors using Mirai-based botnets, as well as deployment of XMRig cryptominers, the PeerBlight backdoor, reverse proxies, and Go-based implants. Payload delivery commonly uses wget or curl to retrieve and execute malicious scripts or droppers. In some cases, Mirai variant deployments were attempted in container environments. Based on the provided content, these actors are characterized as non-state, opportunistic, and criminal rather than a named nation-state group.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.