SHA256MediumSignal 100/100

`0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce`

Location

China

First Seen

Dec 6, 2025

Last Seen

May 30, 2026

Dec 6

First Seen

187d ago

May 30

Last Seen

12d ago

Reports

source reports

99%

Confidence

medium

Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

SHA-256 Hash

SHA-256 file hash — primary identifier for malware samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA256

Confidence

99%

Signal Score

100 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

69 techniques

Feed Intelligence Summary

12 reports99% confidence

Source reports

99%

Confidence score

Category tags

abuseabuse_ch_hashacademic institutionsactive scanalertsalienvault_ransomwareanalysis datearbitrary code executionascii textashen lepusasiaauto-colorav detectionsbackdoorbad reputationbaidubankingbittorrent dhtbotnetbotnet activitybrute forcebuilding constructionc2chinachina-nexus threat actorscivil servicesck idck matrixclickclick-based attackcobalt strikecode injectioncommandcommand & controlcommand and controlcompoodconstruction materialsconstruction safetyconstruction technologyconsumer goodscorporate lawcredential accesscredential stuffingcredit card servicescsirt-americas malwarecsirt-americas vulnerabilitydata encryptiondata exfiltrationdata store exposuredata uploaddefense evasiondependency confusiondetect-debug-environmentdgadga nxdomaindigital mediadiscovery attdistributed attacksdistribution managementdns attackdrwebdynamicloaderearth lamiaeducationeducational resourceseducational serviceseducational technologyelfences sencryptencryptionenglewood coloradoentertainment technologyet exploiteternal blueeternalblue exploiteternalblue probeetherratetpro trojanexecutable fileexfiltrationexploitation activityextortionfilefile-hashfilesfinancefinance and insurancefinancial servicesfinancial technologyflight protocolfreight forwardinggovernment technologygtighighhigher educationhisonichostinghostname addhybrididentity & access exploitationids detectionsindicatorinformation technologyinfostealerinitial accessinjection activityinput validation bypassintellectual property lawinventory managementiot securityipv4 addiranian threat actorsit infrastructurejackpot pandak-12 educationkaijilateral movementlaw practicelearnlegallegal consultinglegal researchlegal serviceslegal technologylinuxlinux backdoorlocallogistics technologyluca stealermakop ransomwaremalmalicious linksmalicious softwaremalwaremcafeemedia & entertainmentmedia centermedia distributionmediummetametadata analysisminocatmitre attmovedms17-010msiemultimedia productionnamename tacticsnation-state activitynetwork compromisenetwork trafficngvcanhnone relatednoodle ratnorth americanpmpandapassive dnspathpath traversalpattern matchpayment processingphishingpossible virutpost-exploitationprcpresent janpresent julpresent sepprobe ms17010process injectionpublic administrationpublic infrastructurepublic policypushpython malwareransomransomwarercereactreact serverreact server componentsreact2shellregulatory agenciesregulatory complianceremote accessremote code executionresearchedretail tradereverse dnsreverse shellrscsearchsecurity operationsshipping servicesshowsimdaslcc2sliversocial engineeringsocial media securitysoftware developmentspawnsstatusstreaming servicesstringssupply chain attacksupply chain managementsupply chain vulnerabilitysystem disruptiont1003t1005t1016t1021.004t1027t1033t1036t1036.004t1045t1049t1053.003t1053.005t1055t1057t1059t1059.001t1059.004t1059.006t1059.007t1060t1063t1068t1069t1070.003t1070.006t1071t1071.001t1078t1078.004t1082t1083t1090t1095t1102.002t1105t1119t1132.001t1133t1140t1189t1190t1195.002t1199t1202t1203t1204t1204.001t1204.002t1210t1480t1480 executiont1486t1490t1496t1497t1499.002t1499.003t1505.003t1542.003t1543t1543.002t1546.004t1547.001t1565t1566t1569.002t1571t1573.001t1588.006t1595threat actorthreat intelligencetitletor nodetransportation managementua-wgetunauthenticated accessunc5174unc5454unitedunited statesurlsuser executionviprevirtoolvirusvitrovshellvulnerability scanwannawannacrywannacryptwarehouse operationswealth managementweb application attackweb application exploitweb application exploitationweb exploitationweb shellwin32.virutwin32small decwindows ntwritewrite cx adblockxmrigyarayara detectionsyara rulezinfoqzndoor

Activity Timeline

1 total obs

May 30May 30

Threat Activity Heatmap

· Peak: 2026-05-30

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Threat ScoreHigh Risk

100

SIGNAL

Signal Score

99%

Confidence

Reports

First seenDec 6, 2025

Last seenMay 30, 2026

VirusTotal

Not checked

WHOIS

description: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
references: https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell, https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182, https://aws.hirecar.net/, w32.virut.cf • win32.virut.am • virut.cf • http://w32.virut.cf •http://w32.virut.cf/ • https://w32.virut.cf, pandacookie2018.xyz, Antivirus Detections: Win.Ransomware.Wanna-9769986-0 , Ransom:Win32/WannaCrypt.H, IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS, DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) Possible ETERNALBLUE Probe MS17-010 (Generic Flags) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic , MS17_010_WanaCry_worm , stack_string More Alerts 25 Alerts suspicious_iocontrol_codes persistence_autorun persistence_autorun_tasks stealth_file suricata_alert antivm_generic_disk anomalous_deletefil, Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com •’survey-smiles.com, Book2.csv, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt, https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf, https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive, https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/, https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/, https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far, https://www.cve.org/CVERecord?id=CVE-2025-55182, https://nvd.nist.gov/vuln/detail/CVE-2025-55182, https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/, https://corelight.com/blog/react2shell, https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/

`0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy