December 10th – This Week’s Top Cybersecurity and Dark Web Stories

China-Linked Threat Actors Immediately Exploit Critical ‘React2Shell’ Vulnerability

A new, maximum-severity security flaw dubbed “React2Shell” (CVE-2025-55182) is being actively exploited by multiple China-state-linked threat groups just hours after its public disclosure. The vulnerability affects the widely-used React and Next.js frameworks, potentially exposing thousands of dependent projects to attack.

React2Shell is a critical insecure deserialization vulnerability within the React Server Components (RSC) ‘Flight’ protocol. Exploiting the flaw is trivial, does not require any authentication, and allows an attacker to remotely execute JavaScript code within the server’s context.

Researchers have issued a stark warning, estimating that up to 39 percent of the cloud environments they observe are susceptible to React2Shell attacks. While React and Next.js have released security updates, the issue is exploitable in the default configuration, making immediate patching essential for all organizations.

A report from Amazon Web Services (AWS) threat intelligence confirmed that two prominent China-nexus threat groups, Earth Lamia and Jackpot Panda, began attempting to exploit the vulnerability almost immediately after it was publicly disclosed on December 3, 2025.

Earth Lamia is known for exploiting web application vulnerabilities, typically targeting financial services, logistics, retail, IT, universities, and government sectors across Latin America, the Middle East, and Southeast Asia.

Jackpot Panda focuses its attacks on East and Southeast Asia, aiming to collect intelligence on corruption and domestic security.

AWS observed that the attackers are not just running automated scans. Their observed activity includes repeated attempts with different payloads, Linux command execution, and attempts to create and read files. This demonstrates that threat actors are actively debugging and refining their exploitation techniques against live targets in real-time.

Despite warnings about fake exploits, verified proof-of-concept (PoC) exploits have already appeared on GitHub. The ease of exploiting this vulnerability, combined with public PoCs, significantly increases the risk of broader, less sophisticated threat activity.

Organizations should prioritize patching affected versions of React and Next.js immediately. In addition, the Attack Surface Management (ASM) platform Assetnote has released a React2Shell scanner on GitHub that can be used to quickly determine if an environment is vulnerable.

State-Sponsored PRC Actors Use Sophisticated Backdoor for Long-Term Cyber Espionage

A joint security alert reveals People’s Republic of China (PRC) state-sponsored cyber actors are leveraging “BRICKSTORM,” a highly customized, Go-based backdoor, to maintain deep, persistent access within critical government and technology infrastructure.

Security agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre), have issued a stark warning regarding the malware’s capabilities and use. Victim organizations are primarily concentrated in the Government Services and Facilities and Information Technology sectors, making this a top-tier national security threat.

BRICKSTORM is specifically designed to operate as a sophisticated backdoor within both VMware vSphere (targeting vCenter servers and ESXI) and Windows environments.

Once actors compromise the VMware vSphere platform, they gain a powerful foothold, using the vCenter management console to:

• Steal cloned Virtual Machine (VM) snapshots for credential harvesting.
• Create hidden, unauthorized rogue VMs for covert operations.

An analysis of a victim organization where CISA conducted an incident response engagement revealed the chilling effectiveness of BRICKSTORM.

PRC cyber actors gained long-term persistent access to the organization’s internal network in April 2024. They uploaded BRICKSTORM to an internal VMware vCenter server and successfully compromised an Active Directory Federation Services (ADFS) server to export cryptographic keys. The malware was used for persistent access for over a year, running from April 2024 through at least September 2025.

BRICKSTORM, which is a custom Executable and Linkable Format (ELF), is built on the Go language and engineered for maximum stealth and longevity.Evasive Command and Control (C2)

The malware’s C2 communications are meticulously hidden to blend with legitimate traffic. It utilizes:

• Multiple layers of encryption: HTTPS, WebSockets, and nested Transport Layer Security (TLS).
• DNS-over-HTTPS (DoH) to conceal command traffic.
• Mimicry of web server functionality.

BRICKSTORM ensures its survival using a self-watching function that automatically reinstalls or restarts the malware if its operations are disrupted.

Once a system is compromised, the backdoor provides actors with full interactive shell access and enables comprehensive file manipulation, including the ability to browse, upload, download, create, delete, and manipulate files. Additionally, some BRICKSTORM samples function as a SOCKS proxy, facilitating lateral movement across the network to compromise additional systems.

CISA, NSA, and the Cyber Centre are urgently calling on organizations to leverage the Indicators of Compromise (IOCs) and detection signatures provided in the official Malware Analysis Report.

If BRICKSTORM malware samples are identified, organizations are advised to immediately follow the guidance detailed in the report’s Incident Response section.

Authorities Shut Down Cryptomixer, Seizing €25 Million in Bitcoin and 12TB of Data

An international law enforcement operation, spearheaded by Swiss and German authorities and supported by Europol, has successfully dismantled ‘Cryptomixer,’ an illegal cryptocurrency mixing service suspected of laundering over €1.3 billion in illicit Bitcoin proceeds.

The action week, conducted from 24 to 28 November 2025 in Zurich, Switzerland, targeted one of the primary platforms of choice for cybercriminals. Cryptomixer had been in operation since 2016, offering a hybrid mixing service accessible via both the clear web and the dark web. The service provided essential anonymity to criminals by blocking the traceability of funds on the blockchain.

The operation resulted in significant seizures, dealing a major blow to the cybercrime economy:

• Three servers were seized in Switzerland.
• The primary domain, cryptomixer.io, was taken over and replaced with a law enforcement seizure banner.
• Authorities confiscated over 12 terabytes of data.
• More than €25 million worth of the cryptocurrency Bitcoin was seized.

Cryptomixer facilitated the obfuscation of criminal funds for a wide array of activities, including major ransomware groups, dark web markets, underground economy forums, drug and weapons trafficking, and payment card fraud. Since its inception, the service had mixed more than €1.3 billion in Bitcoin.

The service operated by pooling deposited funds from various users for a long and randomized period. It then redistributed the “cleaned” cryptocurrency to destination addresses at random times, making it nearly impossible for authorities to trace the origin of specific coins. Mixing services are a critical tool for criminals before they redirect laundered assets to cryptocurrency exchanges, where they can be exchanged for other currencies or withdrawn as FIAT currency.

Europol provided crucial support throughout the operation, leveraging its Joint Cybercrime Action Taskforce (J-CAT) hosted at its headquarters in The Hague, the Netherlands.

The agency’s support included:

• Facilitating the exchange of critical information between partners.
• Coordinating the involved national law enforcement authorities.
• Hosting operational meetings and providing on-the-spot support and forensic assistance on the action day.

The takedown follows a continuous effort against illicit mixers, with Europol having previously supported the dismantling of another large service, ‘Chipmixer,’ in March 2023.

Participating Agencies:

• Germany: Federal Criminal Police Office (Bundeskriminalamt); Prosecutor General’s Office Frankfurt am Main, Cyber Crime Centre.
• Switzerland: Zurich City Police; Zurich Cantonal Police; Public Prosecutor‘s Office Zurich.
• Agencies: Europol, Eurojust.