Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware family

china_linked_threat_actors

Also known aschina_linked_threat_actors

China-linked threat actors are referenced as having weaponized the React2Shell vulnerability within hours of its public disclosure. This demonstrates a high level of operational agility and capability in exploiting newly disclosed vulnerabilities for cyber operations. The specific targets or sectors affected by these attacks are not detailed in the provided content. No additional information about specific sub-groups, aliases, or broader targeting patterns is included in the context. The attribution to China is explicit, but further details on tactics, techniques, or procedures beyond rapid exploitation of zero-days are not available in the provided summary.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SuperShellWiz researchers detected Supershell on an infected system, which is an open source command-and-control framework that has been used by China-linked threat actors.1Mar 18, 2026
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
securityaffairsNews
Dec 14, 2025
Security Affairs newsletter Round 554 by Pierluigi Paganini – INTERNATIONAL EDITION

China-linked threat actors rapidly weaponized the React2Shell vulnerability to conduct attacks, likely targeting cloud and enterprise environments.

Read more
reliaquest com threat huntingNews
Apr 22, 2025
ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver

China-linked threat actors have been reported as exploiting SAP NetWeaver vulnerabilities (CVE-2025-31324), though specific details of their operations or malware are not provided. Their involvement suggests a possible interest in espionage or access to sensitive enterprise and government systems.

Read more
security weekNews
Nov 25, 2025
In Other News: CrowdStrike Vulnerabilities, CISA Layoffs, Mango Data Breach

Exploiting zero-day firewall vulnerabilities in attacks attributed to Chinese threat actors.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.