Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Noodle RAT

Noodle RAT is a backdoor/RAT with both Windows and Linux variants. It is also known as ANGRYREBEL and Nood RAT, and Google Threat Intelligence Group referenced the Linux variant as Angryrebel.Linux RAT. Unit 42 observed its deployment and assessed it as likely used by Chinese-speaking groups engaged in espionage or cybercrime. The malware has been seen in post-exploitation activity alongside tools such as XMRig, Linux Cobalt Strike beacons, web shells disguised as React file managers, and EtherRAT.

High-confidence reporting in the provided content links Noodle RAT to exploitation of React2Shell (CVE-2025-55182), where in at least one case the vulnerability facilitated distribution of a Linux version of Noodle RAT. Google Threat Intelligence Group linked that React2Shell-to-Noodle RAT attack chain to UNC6595. Separate reporting also places Noodle RAT in a broader China-aligned intrusion set tracked by Trend Micro as SHADOW-EARTH-053, which targeted government and defense organizations across South, East, and Southeast Asia, as well as Poland. In that campaign, attackers primarily exploited internet-facing Microsoft Exchange and IIS vulnerabilities, used Godzilla web shells for persistence and command execution, and in at least one case used React2Shell to distribute Linux Noodle RAT.

Targeting and victimology directly associated in the content are government and defense sectors in countries including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan, and Poland. The content does not provide specific Noodle RAT command-and-control indicators, file hashes, or other concrete IOCs beyond its aliases and its observed association with React2Shell exploitation and China-linked intrusion activity.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-55182React2ShellExploited in the wild

In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT).

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6595

In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT).

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence3

In most cases, Linux.NOODLERAT was deployed as an additional payload of an exploit against public-facing applications.

Execution

3 techniques
T1053Scheduled Task/JobEvidence1

Linux.NOODLERAT ... backdoor capabilities are also slightly different: ... Scheduling execution

T1059.004Unix ShellEvidence1

Linux.NOODLERAT ... backdoor capabilities are also slightly different: Reverse shell

T1203Exploitation for Client ExecutionEvidence1

"The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests... This results in RCE" (CVE-2025-55182).

Persistence

1 technique
T1053Scheduled Task/JobEvidence1

Linux.NOODLERAT ... backdoor capabilities are also slightly different: ... Scheduling execution

Privilege Escalation

1 technique
T1053Scheduled Task/JobEvidence1

Linux.NOODLERAT ... backdoor capabilities are also slightly different: ... Scheduling execution

Stealth

1 technique
T1036MasqueradingEvidence1

After deployment, the backdoor copies itself to /tmp/CCCCCCCC and performs process name spoofing by overwriting “argv.”

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

"downloaders to retrieve payloads from attacker command and control (C2) infrastructure" and multiple C2 endpoints; KSwapDoor uses mesh routing and encryption

T1090.001Internal ProxyEvidence1

Start TCP server to proxy packets to the C&C server

T1090.003Multi-hop ProxyEvidence1

Linux.NOODLERAT ... backdoor capabilities are also slightly different: ... SOCKS tunneling

T1105Ingress Tool TransferEvidence2

Table 1 lists the backdoor commands ... Download a file from C&C server ... Linux.NOODLERAT ... backdoor capabilities are also slightly different: Reverse shell Download & Upload files

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Table 1 lists the backdoor commands ... Upload a file to C&C server

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
May 1, 2026
China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

A remote access trojan whose Linux variant was distributed in at least one intrusion through exploitation of React2Shell.

Read more
polyswarmNews
Dec 19, 2025
Multiple Threat Actors Leveraging CVE-2025-55182 (React2Shell)

Remote Access Trojan (RAT) used for remote control and persistence, deployed after exploitation of CVE-2025-55182.

Read more
palo alto networks unit 42 blogNews
Dec 12, 2025
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

Cross-platform (Windows/Linux) backdoor/RAT suspected to be used by Chinese-speaking groups for espionage or cybercrime; observed deployed during post-exploitation activity following CVE-2025-55182 exploitation.

Read more
palo alto networks unit 42 blogNews
Dec 12, 2025
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

Cross-platform (Windows/Linux) backdoor/RAT associated with Chinese-speaking operators; used for remote access post-compromise.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.