MINOCAT

MINOCAT is a tunneling utility/backdoor used in post-exploitation activity following exploitation of the React Server Components vulnerability CVE-2025-55182 ("React2Shell"). It has been observed in campaigns attributed to the China-nexus espionage cluster UNC6600, and broader reporting also places it among tooling used by China-linked actors exploiting this flaw globally. Google Threat Intelligence Group described MINOCAT as a tunneler based on Fast Reverse Proxy (FRP); specifically, it is a 64-bit ELF executable for Linux that includes a custom "NSS" wrapper and an embedded open-source FRP client for tunneling. Its purpose is to establish persistence and covert network access on compromised systems, maintaining hidden access to victim networks.

Observed delivery involved attackers exploiting CVE-2025-55182 to gain unauthenticated remote code execution against vulnerable React/Next.js workloads, then executing bash scripts that downloaded the MINOCAT binary. In UNC6600 activity, the script created a hidden directory at $HOME/.systemd-utils, killed processes named "ntpclient," and established persistence through a new cron job, a systemd service, and malicious commands inserted into the user’s shell configuration so MINOCAT would run in new shells. High-confidence indicators of compromise associated with this activity include the hidden directory $HOME/.systemd-utils, unauthorized termination of "ntpclient," and malicious modifications to shell startup files such as $HOME/.bashrc. The malware targets Linux systems and has been used in espionage-oriented intrusions against globally exposed, unpatched React and Next.js environments.