DPRK-Linked Threat Actors Exploit React2Shell Flaw in Large-Scale Crypto Heists
Suspected North Korea-linked threat actors have launched a sophisticated campaign targeting cryptocurrency firms, leveraging a critical vulnerability in React Server Components and Next.js to steal digital assets and sensitive infrastructure data. The attacks, which span web-app exploitation, cloud abuse, and secrets theft, follow a full kill chain from initial access to deep reconnaissance and exfiltration.
The campaign exploits CVE-2025-55182 (React2Shell), an unauthenticated remote code execution flaw with a CVSS score of 10.0, allowing attackers to execute arbitrary commands on vulnerable servers. Threat actors used mass-scanning tools and WAF-bypass techniques to identify exposed crypto staking platforms, particularly those handling USDT staking. In one case, investigators recovered compromised backend source code containing Tron wallet addresses, private keys, and a Python script reusing those keys for balance checks. Blockchain records suggest at least one suspicious TRX transfer coincided with active exploitation, though direct attribution remains unconfirmed.
Beyond web exploitation, the same threat group abused AWS access tokens to infiltrate a separate crypto exchange. After validating credentials via AWS Security Token Service (STS), they systematically enumerated core cloud services S3, RDS, EC2, Lambda, EKS, and IAM searching for high-value artifacts like kubeconfig files, Terraform state files, and hardcoded credentials. Terraform files were filtered for terms such as "password," "db_name," and "public_ip," providing a detailed blueprint of the victim’s infrastructure.
The attackers then pivoted to Kubernetes, using aws eks update-kubeconfig to gain access to managed EKS clusters. They listed pods across namespaces, pulled sensitive Docker images from private ECR registries, and exfiltrated at least five proprietary exchange images containing hardcoded credentials and internal routing details. Additional secrets were extracted from AWS Secrets Manager, Kubernetes ConfigMaps, and running containers, while private Git repositories were cloned for full backend visibility.
Command-and-control (C2) infrastructure relied on a licensed VShell server (port 8082) and Fast Reverse Proxy (FRP) on port 53, a tactic consistent with DPRK-linked operations known for covert tunneling. Core attack servers were hosted on a South Korean VPS (64.176.226[.]36, 2401:c080:1c01:c6:5400:5ff:fec1:ccc9) under the domain itemnania[.]com, with SSH activity and VPN exit nodes used to obscure origins.
Victimology suggests a crypto supply-chain focus, targeting staking platforms, exchange software vendors, and exchanges themselves. Rather than immediate mass theft, the campaign prioritized backend source code, database credentials, private keys, and exchange middleware likely positioning for future large-scale asset theft. While DPRK attribution is assessed with moderate confidence, researchers note that tools like VShell are also used by other nation-state actors. The campaign aligns with North Korea’s documented history of React2Shell exploitation, AWS token abuse in crypto heists, and FRP infrastructure reuse.
Source: https://gbhackers.com/dprk-hackers-target-crypto-firms-2/
React cybersecurity rating report: https://www.rankiteo.com/company/react
"id": "REA1772713454",
"linkid": "react",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cryptocurrency',
'type': ['Cryptocurrency Staking Platforms',
'Cryptocurrency Exchanges',
'Exchange Software Vendors']}],
'attack_vector': ['Exploitation of CVE-2025-55182 (React2Shell)',
'AWS Access Token Abuse',
'Kubernetes Cluster Infiltration'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Python scripts',
'Terraform state files',
'Kubeconfig files',
'Docker images',
'Git repositories'],
'sensitivity_of_data': 'High (cryptographic keys, '
'infrastructure blueprints, '
'proprietary software)',
'type_of_data_compromised': ['Backend source code',
'Wallet addresses',
'Private keys',
'AWS credentials',
'Kubernetes configurations',
'Terraform files',
'Docker images',
'Git repositories']},
'description': 'Suspected North Korea-linked threat actors have launched a '
'sophisticated campaign targeting cryptocurrency firms, '
'leveraging a critical vulnerability in React Server '
'Components and Next.js to steal digital assets and sensitive '
'infrastructure data. The attacks span web-app exploitation, '
'cloud abuse, and secrets theft, following a full kill chain '
'from initial access to deep reconnaissance and exfiltration.',
'impact': {'data_compromised': ['Backend source code',
'Tron wallet addresses',
'Private keys',
'AWS credentials',
'Kubernetes ConfigMaps',
'Terraform state files',
'Proprietary Docker images',
'Git repositories'],
'operational_impact': 'Compromise of cryptocurrency exchange '
'infrastructure and middleware',
'systems_affected': ['React Server Components',
'Next.js applications',
'AWS S3',
'AWS RDS',
'AWS EC2',
'AWS Lambda',
'AWS EKS',
'AWS IAM',
'Kubernetes clusters',
'ECR registries']},
'initial_access_broker': {'entry_point': ['Exploitation of CVE-2025-55182',
'AWS access token abuse'],
'high_value_targets': ['Cryptocurrency staking '
'platforms',
'Exchange middleware',
'Kubernetes clusters']},
'motivation': ['Financial Gain',
'Infrastructure Reconnaissance for Future Theft'],
'post_incident_analysis': {'root_causes': ['Unpatched React2Shell '
'vulnerability (CVE-2025-55182)',
'Exposed AWS access tokens',
'Insecure Kubernetes '
'configurations']},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': 'DPRK-Linked Threat Actors (suspected)',
'title': 'DPRK-Linked Threat Actors Exploit React2Shell Flaw in Large-Scale '
'Crypto Heists',
'type': ['Web Application Exploitation',
'Cloud Abuse',
'Secrets Theft',
'Cryptocurrency Theft'],
'vulnerability_exploited': 'CVE-2025-55182 (React2Shell, CVSS 10.0)'}