Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actorsExploits 1 CVE

ANGRYREBEL.LINUX

ANGRYREBEL.LINUX, also referred to as Noodle RAT in the provided reporting, is a Linux remote access trojan/backdoor associated with China-nexus activity. The content links it most directly to UNC6595, and also notes deployment by other China-nexus clusters including UNC3569 as well as broader post-exploitation activity involving UNC6600 and UNC6603. Reported use cases include compromise of Linux-based servers and infrastructure hosted on international virtual private servers (VPS). In one UNC3569 campaign from November 2021, the malware was delivered to Linux servers via an open directory as part of a cloud- and VPS-focused intrusion set. More recent reporting states that UNC6595 abused CVE-2025-55182 (React2Shell) to deploy ANGRYREBEL.LINUX against unpatched React and Next.js workloads, primarily targeting infrastructure hosted on international VPS. The content explicitly characterizes ANGRYREBEL.LINUX as a remote access trojan/backdoor but does not provide deeper technical details on command execution, persistence, or protocol behavior. High-confidence associations in the content are UNC6595, Linux server targeting, VPS-hosted infrastructure targeting, delivery via open directory in at least one UNC3569 campaign, and deployment during exploitation of CVE-2025-55182.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-55182React2ShellExploited in the wild

Since exploitation began last week, our team at Google Threat Intelligence Group (GTIG) has been tracking widespread activity as multiple threat clusters race to leverage React2Shell (CVE-2025-55182). | Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

via austin larsen blogaustinlarsen.me
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC3569

For Linux-based servers, UNC3569 hosted an open directory server to deliver the ANGRYREBEL.LINUX backdoor.

via virusbulletinvirusbulletin.com
UNC6603

Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

via austin larsen blogaustinlarsen.me
UNC6600

Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

via austin larsen blogaustinlarsen.me
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1
TacticInitial Access

In November 2021, UNC3569 initiated a campaign targeting servers hosted on major cloud and VPS providers... Several steps and organizations were reportedly involved in the campaign: Chinese cloud configuration tool Bastion, Qianxin VPN software, Communication software Comm100... LiveHelp100

Command and Control

1 technique
T1090.003Multi-hop ProxyEvidence1
TacticCommand and Control

China-Nexus Espionage: Multiple groups including UNC6600 and UNC6603 are deploying custom backdoors and tunnelers such as MINOCAT, HISONIC, SNOWLIGHT, and ANGRYREBEL.LINUX.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
register securityNews
Dec 15, 2025
China, Iran are having a field day with React2Shell, Google warns

Angryrebel.Linux is a backdoor targeting Linux systems, primarily deployed on international VPS infrastructure for persistent access.

Read more
bleeping computerNews
Dec 15, 2025
Google links more Chinese hacking groups to React2Shell attacks

ANGRYREBEL.LINUX is a Remote Access Trojan (RAT) used by UNC6595 to gain persistent access and control over Linux systems compromised via the React2Shell vulnerability.

Read more
the hacker newsNews
Dec 15, 2025
⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More

ANGRYREBEL.LINUX, also known as Noodle RAT, is a Linux backdoor used for persistent access and espionage.

Read more
the hacker newsNews
Dec 15, 2025
⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More

ANGRYREBEL.LINUX, also known as Noodle RAT, is a Linux backdoor used for persistent access and control, deployed by UNC6595.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.