SIGNALS WEEKLY: React2Shell in the Wild, BRICKSTORM in the Walls, Predator on the Phone
React2Shell in the wild, BRICKSTORM in the walls, Predator on the phone. Not a dystopian haiku—this week’s risk stack. 🧯🕳️📱
TL;DR
- [Intrusion Sets] PRC‑nexus BRICKSTORM backdoor shows ~393‑day average dwell across gov/tech VMware vSphere and Windows environments.
- [Vulnerabilities] React2Shell (CVE‑2025‑55182, CVSS 10) is under mass exploitation, including by China‑linked actors; immediate patching and mitigations required.
- [Spyware] Intellexa’s Predator has leveraged 15+ iOS/Android zero‑days since 2021 against civil society in 13+ countries, elevating mobile risk for HVTs.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Current Stories
TL;DR
-
[Intrusion Sets] CISA/NSA/Canada detail PRC‑nexus BRICKSTORM backdoor with ~393‑day avg dwell time across dozens of gov/tech VMware vSphere and Windows environments.
-
[Vulnerabilities] React2Shell (CVE‑2025‑55182, CVSS 10) React/Next.js RCE sees mass scanning and PRC‑linked exploitation; Wiz found vulnerable components in ~39% of cloud environments.
-
[Spyware / Mobile Zero‑Day] Google reports Intellexa’s Predator spyware burned at least 15 iOS/Android 0‑days since 2021 against journalists, lawyers, and opposition in 13+ countries.
References
-
(2025-12-04) BRICKSTORM Backdoor
-
(2025-12-04) China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
-
(2025-12-03) React2Shell (CVE-2025-55182): Everything You Need to Know About the Critical React Vulnerability
-
(2025-12-03) Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
Suggested Pivots
How are PRC state-nexus operations evolving across BRICKSTORM-style long-dwell intrusions and rapid weaponization of web RCEs like React2Shell?
- Why: Unifies infrastructure-level persistence and fast CVE turn-around into one operational model for China-linked campaigns against critical sectors.
- What to expect: Cross-campaign TTPs, shared infrastructure, and sector targeting insights that can inform proactive hardening and threat hunting.
How does Intellexa’s Predator activity reshape the risk model for high-value mobile users in governments, NGOs, and media organizations?
- Why: Connects commercial exploit supply chains with concrete at-risk user groups rather than abstract mobile “0‑day” talk.
- What to expect: A clearer view of which platforms, apps, and behaviors are most exposed, driving more targeted mobile security baselines and monitoring.
AlphaHunt Converge - Plug in your Flight Crew
Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.
Anticipate, Don’t Chase.
