Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

HISONIC

HISONIC is a Go/Golang-based backdoor associated with China-nexus intrusion activity, particularly UNC6603. It has been observed in post-exploitation activity following exploitation of the critical React Server Components vulnerability CVE-2025-55182 ("React2Shell"), where multiple China-linked clusters deployed malware including MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL.LINUX. Reporting states UNC6603 delivered an updated version of HISONIC and used it in attacks targeting cloud environments, including AWS and Alibaba Cloud infrastructure in the Asia-Pacific region. The updated HISONIC variant is described as blending into legitimate network activity by using legitimate cloud services such as Cloudflare Pages, Cloudflare, and GitLab to retrieve encrypted configuration and communicate covertly. In one investigated incident, JPCERT/CC observed installation of the HISONIC backdoor under the filename "javax" multiple times on December 6, 2025, on a compromised server that had been exploited via CVE-2025-55182. High-confidence context indicates HISONIC functions as a persistent backdoor used in espionage-oriented operations by UNC6603. Known indicators directly mentioned in the content include the filename "javax" used for the HISONIC payload; broader reporting also notes that SHA256 hashes for HISONIC samples were published, though the hashes themselves are not included in the provided content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-55182React2ShellExploited in the wild

Since exploitation began last week, our team at Google Threat Intelligence Group (GTIG) has been tracking widespread activity as multiple threat clusters race to leverage React2Shell (CVE-2025-55182). | Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

via austin larsen blogaustinlarsen.me
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6603

Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

via austin larsen blogaustinlarsen.me
UNC6600

Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

via austin larsen blogaustinlarsen.me
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence3
TacticInitial Access

“React2Shell exploitation continues… globally exploited… victims triaged… distinct campaigns leveraging this vulnerability…” and “threat actor use React2Shell as the initial access vector in a ransomware attack.”

Command and Control

1 technique
T1090.003Multi-hop ProxyEvidence1
TacticCommand and Control

China-Nexus Espionage: Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
jpcert blogNews
Feb 13, 2026
Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise - JPCERT/CC Eyes | JPCERT Coordination Center official Blog

Golang-based backdoor installed after exploitation to provide remote access/persistence on the compromised host.

Read more
ctoatncsc substackNews
Dec 20, 2025
CTO at NCSC Summary: week ending December 21st - nearly Christmas edition ❄️🎄🎅🤶🎄❄️

Backdoor deployed in campaigns exploiting React2Shell (CVE-2025-55182) per the referenced reporting.

Read more
the hacker newsNews
Dec 16, 2025
React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

A Go-based backdoor that retrieves encrypted configuration from Cloudflare Pages and GitLab, designed to blend in with legitimate network activity.

Read more
bleeping computerNews
Dec 15, 2025
Google links more Chinese hacking groups to React2Shell attacks

HISONIC is a backdoor malware, with an updated version deployed by UNC6603, used to maintain access and control over systems compromised via the React2Shell vulnerability.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.