A Critical Alert: Chinese Hackers Targeting React2Shell Vulnerability
In a recent development, Amazon's threat intelligence teams have sounded the alarm, revealing active exploitation attempts by Chinese state-affiliated hackers on the React2Shell vulnerability (CVE-2025-55182). This critical flaw in React Server Components, with a maximum CVSS score of 10.0, affects React and Next.js versions when using App Router. While AWS services remain unaffected, Amazon is sharing this intelligence to assist those running their own React or Next.js applications.
China's Cyber Threat Dominance
But here's where it gets controversial: China continues to dominate the state-sponsored cyber threat landscape. Threat actors from China routinely exploit public vulnerabilities within hours or days of their disclosure. C.J. Moses, CISO of Amazon Integrated Security, highlights this in a recent AWS Blogs post, emphasizing the need for immediate action.
AWS's Multi-Layered Defense
AWS has deployed multiple layers of automated protection, including Sonaris active defense, AWS WAF managed rules, and perimeter security controls. However, Moses emphasizes that these measures are not a substitute for patching. Managed AWS services are not affected, but customers running React or Next.js in their own environments must update vulnerable applications immediately.
Persistent Exploitation Attempts
Analysis of AWS MadPot honeypot data reveals the persistence of these exploitation attempts. In one notable case, an unattributed threat cluster associated with IP address 183.6.80.214 spent nearly an hour systematically troubleshooting its attacks. This behavior indicates that hackers are actively debugging and refining their techniques, not just running automated scans.
China's State-Nexus Threat Groups
Infrastructure linked to known China state-nexus threat groups, such as Earth Lamia and Jackpot Panda, has been identified in the exploitation attempts. Earth Lamia, a China-nexus actor, routinely exploits web application flaws to target Latin America, the Middle East, and Southeast Asia, including financial services, logistics, retail, IT firms, universities, and government agencies. Jackpot Panda, another China-nexus group, focuses on organizations in East and Southeast Asia, with operations aligned with domestic security and anti-corruption priorities.
The Challenge of Attribution
The shared anonymization infrastructure among Chinese threat groups makes definitive attribution difficult. These large anonymization networks have become a hallmark of Chinese cyber activity, supporting reconnaissance, exploitation, and command-and-control while masking operational fingerprints. This shared nature allows multiple actors to use the same infrastructure, further complicating attribution.
Unattributed Threat Groups
In addition to the known groups, many other unattributed threat groups share commonalities with Chinese-nexus cyber threat activity. Most of the observed autonomous system numbers (ASNs) for unattributed activity are associated with Chinese infrastructure, confirming that the majority of exploitation activity originates from China. The speed at which these groups weaponize public proof-of-concept (PoC) exploits underscores the critical need for rapid response.
Automated Scanning and Individual Exploits
Threat actors are using both automated scanning tools and individual PoC exploits. Some observed automated tools have capabilities to deter detection, such as user agent randomization. Amazon's threat intelligence teams have observed these groups simultaneously exploiting other recent N-day vulnerabilities, demonstrating a systematic approach to finding and exploiting multiple vulnerabilities simultaneously.
The Challenge of Public PoCs
A notable observation from the investigation is that many threat actors are attempting to use public PoCs that are technically inadequate for real-world scenarios. The GitHub security community has identified multiple PoCs with fundamental misunderstandings of the vulnerability. Despite these technical shortcomings, threat actors continue to use these PoCs, highlighting a prioritization of speed over accuracy and a volume-based approach to scanning.
Cyber-Enabled Kinetic Targeting
Last month, Amazon's threat intelligence teams uncovered a trend they describe as cyber-enabled kinetic targeting, where nation-state actors use cyber operations to support and enhance physical operations. Traditional cybersecurity frameworks often treat digital and physical threats as separate, but Amazon's research shows this divide is artificial. Several nation-state groups are now advancing an operational model where cyber reconnaissance directly feeds into kinetic targeting.
This development underscores the evolving nature of cyber threats and the need for a holistic approach to cybersecurity. As the digital and physical worlds converge, the lines between traditional threat domains become increasingly blurred. It is crucial for organizations to stay vigilant, patch vulnerabilities promptly, and adopt a proactive cybersecurity posture to mitigate the risks posed by state-sponsored cyber threats.
