Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed unauthenticated remote code execution (RCE) flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of React2Shell in React Server Components (CVE-2025-55182), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., xmrig), then deploying additional payloads including the HISONIC backdoor, SNOWLIGHT downloader, and CrossC2, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (CVE-2026-21962, CVE-2026-24061) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for 83% of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation.
Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around IcedID operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Ivanti EPMM exploitation spikes sharply in one day
GreyNoise observed a major surge in exploitation activity on February 8, when 269 sessions were recorded in a single day. The same infrastructure was also seen targeting vulnerabilities in other products at the same time.
GreyNoise observes concentrated exploitation of Ivanti EPMM flaws
GreyNoise recorded 417 exploitation sessions targeting the two Ivanti EPMM vulnerabilities between February 1 and 9 from eight source IPs. It found that 83% of the activity came from a single bulletproof-hosted IP, 193.24.123.42, and that most sessions used OAST-style DNS callbacks consistent with automated validation.
Ivanti EPMM zero-days are flagged as actively exploited and hotfixes released
Ivanti identified CVE-2026-21962 and CVE-2026-24061 in Endpoint Manager Mobile as actively exploited zero-days enabling unauthenticated code injection and remote code execution. The company released hotfixes for the flaws.
React2Shell defacements are discovered and reported
The investigated incident came to light after a user reported a defaced page warning in multiple languages about CVE-2025-55182 and urging immediate patching. JPCERT/CC also noted similar defacements affecting sites in Japan and overseas.
Multiple threat actors compromise the same React2Shell server
Within days of disclosure, multiple threat actors exploited the same vulnerable server, deploying cryptomining scripts, gsocket-based backdoor access, and more advanced tooling including the SNOWLIGHT downloader, HISONIC backdoor, and CrossC2 RAT. The progression suggested concurrent compromises and possible preparation for follow-on operations beyond simple monetization.
Broad React2Shell scanning and exploitation begins
Web server logs in a JPCERT/CC-investigated case showed suspicious HTTP POST activity from more than 100 IP addresses, indicating broad and likely automated scanning or exploitation attempts against a vulnerable server. This activity was observed over December 5 to 7.
React2Shell vulnerability disclosed
A critical unauthenticated remote code execution flaw in React Server Components, CVE-2025-55182 ('React2Shell'), was publicly disclosed. JPCERT/CC later linked multiple incident reports to exploitation of this vulnerability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
One threat actor responsible for 83% of recent Ivanti RCE attacks
bleepingcomputer.com
Open sourceMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise - JPCERT/CC Eyes | JPCERT Coordination Center official Blog
blogs.jpcert.or.jp
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
Mar 21, 2026
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
GreyNoise Reports Concentrated Exploitation of React Server Components RCE (CVE-2025-55182)
GreyNoise telemetry indicates that exploitation of **CVE-2025-55182** in **React Server Components** has shifted from broad, opportunistic scanning to concentrated, high-volume campaigns. The flaw is described as **pre-authentication RCE** with a **CVSS 10.0** and can be triggered via a single malicious **HTTP POST** request, making exposed development servers (notably on ports **3000–3002** in addition to 80/443) attractive targets. Between **Jan 26 and Feb 2, 2026**, GreyNoise observed **1,083** unique sources attempting exploitation, but **two IPs accounted for 56%** of observed activity, suggesting industrialized automation rather than ad-hoc testing. Reporting attributes **34%** of sessions to `193.142.147[.]209`, associated with payloads that open **reverse shells** back to the scanning host (including use of port **12323**), indicating intent for interactive access and potential follow-on pivoting. Another **22%** is attributed to `87.121.84[.]24`, linked to **cryptomining** activity (e.g., downloading **XMRig** from staging infrastructure); one cited staging host is `205.185.127[.]97`, associated with attacker-controlled domains (e.g., `mased[.]top`, `mercarios[.]buzz`) and adjacent subnet activity reportedly distributing **Mirai**. Separately, GreyNoise also reported a distinct reconnaissance campaign against **Citrix NetScaler/Gateway** using **tens of thousands of residential proxy IPs** to enumerate login panels and version artifacts (e.g., `/logon/LogonPoint/index.html` and `/epa/scripts/win/nsepa_setup.exe`), which appears to be pre-exploitation mapping and is not directly tied to the React CVE activity.
Mar 21, 2026