Risky Bulletin: APTs Go After the React2Shell Vulnerability Within Hours

Podcast: Risky Bulletin by risky.biz
Date: December 7, 2025
Host: Claire (prepared by Catalin Cimpanu)
Episode Theme:
Rapid exploitation of the React2Shell server vulnerability by Chinese APTs, top international cybersecurity developments, and continued threats and law enforcement actions in cybercrime.

Main Story: Rapid APT Exploitation of React2Shell ([00:04])

• Chinese APT groups launched attacks within hours of the public disclosure of a critical vulnerability in React framework server components.
  • The flaw, dubbed React2Shell, lets attackers run malicious code on servers for React-based apps, via exploitation of the data serialization mechanism—no authentication required.
  • Amazon researchers attributed the exploitation to groups Earth Lamia and Jackpot Panda.
• Quote:

  "Chinese APT groups are exploiting a vulnerability in the REACT framework server components. The attacks began just hours after the vulnerability was disclosed last Wednesday." – Claire ([00:08])

• Key Insights:
  • The speed of exploitation (“just hours after...disclosure”) emphasizes the sophistication and preparedness of APTs.
  • The flaw allows for unauthenticated remote code execution in a widely-used framework, amplifying risk across numerous web platforms.

Policy and Government Cybersecurity Landscape

US-China Relations & Cyber Policy ([00:34])

• The Trump administration halted plans to sanction China over US telco hacks, shifting focus to trade deals instead.
  • Background: Chinese group Salt Typhoon hacked more than a dozen US telcos last year.
  • Considered sanctions targeted the Chinese Ministry of State Security and contractors.
• Quote:

  "The administration has instructed staff to prioritise trade deals instead." ([00:45])

CISA Leadership and Staffing ([01:01])

• Sean Planky’s nomination for CISA Director stalled again due to Senate disputes and procedural obstacles. Sources indicate his candidacy may be over.
  • Quote:

    "Sources told cyberscoop that Planky's bid for the role may be over." ([01:17])

• CISA’s Cybersecurity Retention Incentive program ended, leading to up to 25% pay cuts for nearly half the agency's workforce.
  • The withdrawal makes government cyber jobs less competitive.
• The NSA lost around 2,000 employees this year—through layoffs, resignations, or early-retirement offers, prompted by administrative pressure.

International Cyber Developments

UK, India, and South Korea ([02:31])

• UK’s Cyber Security Agency is proactively sending vulnerability warnings to organizations, using Netcraft to scan for exposed systems.
• India reversed its decision to require the “Sanchar Sati” government app on new smartphones after public backlash.
• South Korea’s Gmarket platform saw unauthorized mobile payments, allegedly using credentials stolen from other sites (company denies direct breach).

Data Breaches and Law Enforcement ([03:15])

• Chinese security firm Nonsec only learned of a 2023 breach when leaked internal documents appeared for sale—a cautionary tale on threat detection delays.
• US DOJ indicted twin brothers (Muneeb & Sohab Akhtar) for the malicious deletion of almost 100 government databases after being fired; they even used an AI chatbot for advice on deleting activity logs.
  • Quote:

    "The brothers also allegedly asked an AI chatbot how to remove logs of their actions." ([03:49])

• Tokyo police arrested two Chinese nationals accused of hacking and manipulating the stock market via phishing for securities account credentials.

Youth and Cybercrime ([04:12])

• Japanese police issued an arrest warrant for a 17-year-old who allegedly used ChatGPT in cyberattacks against an Internet cafe and gym chain, stealing data on 7.3 million customers.

Geopolitically Motivated Attacks ([04:29])

• A Moscow mathematician sentenced to 21 years for DDoS attacks against Russian infrastructure and supporting Ukraine.
  • Guilty of “treason,” including railway surveillance and planning explosive devices.

Cybercrime Prosecutions ([04:57])

• A Belarusian-Ukrainian dual national pleaded guilty in the US for key roles in “Angler Exploit Kit” and “Ransom Cartel” ransomware operations.
• US ransomware payments dropped from $1.1 billion (2023) to $734 million (2024), linked to law enforcement action against major groups.

Spyware and Persistent Threats ([06:32])

• Intellexa, a spyware vendor, continued sales despite US sanctions, allegedly selling “Pegasus” to the Pakistani government.
  • Newly leaked documents reveal product details (manuals, brochures) and showcase Intellexa’s claim to full access over customer deployments.
  • Aladdin: A new product delivering spyware payloads through online ads.
• Quote:

  "The data suggests Intellexa recently sold its Pegasus spyware to the Pakistani government...Files also described a new product named Aladdin that delivers payloads via online ads." ([06:45])

Quick Hits and Vulnerabilities ([07:08])

• US State Department offers $10M bounty for two Iranians linked to cyber operations against the US.
• Microsoft quietly patched a Windows LNK vulnerability after prolonged exploitation in the wild; initially dismissed as a UI flaw.
• Array Networks VPNs faced attacks exploiting an untracked command injection flaw—actively used for web shell deployment since August.

Notable Quotes & Moments

• “Chinese APT groups are exploiting a vulnerability in the REACT framework server components. The attacks began just hours after the vulnerability was disclosed last Wednesday.” — Claire ([00:08])
• "The brothers also allegedly asked an AI chatbot how to remove logs of their actions." ([03:49])
• "Intellexa recently sold its Pegasus spyware to the Pakistani government... Files also described a new product named Aladdin that delivers payloads via online ads." ([06:45])

Key Timestamps

• 00:04 – Main story: React2Shell vulnerability and immediate APT exploitation
• 00:34 – US/China cyber policy and hack response sanctions
• 01:01 – CISA leadership and job retention issues; NSA staff reductions
• 02:31 – UK, Indian, and Korean responses to local cyber threats
• 03:15 – Major breaches and legal actions (Nonsec, US twins, Japanese cases)
• 04:29 – Geopolitical cyber retaliation (Moscow sentencing, US ransomware stats)
• 06:32 – Intellexa spyware reveals and sanctions evasion
• 07:08 – Bounties, Windows LNK fix, and Array Networks VPN flaw

Tone and Takeaways

Risky Bulletin’s fast-paced, detail-rich update walks listeners through urgent threats like the weaponization of a React server flaw, evolving government and law enforcement responses, and the persistent, adaptable nature of both APTs and cybercriminals. The reporting underscores a world where attackers move faster than ever, governments struggle to keep up, and even young cyber actors wield powerful AI tools.

For those who missed the episode, the summary captures the immediacy of the headlines and the sobering reality of modern cyber risk.