{ "type": "Domain", "indicator": "eleveratech.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/eleveratech.com", "alexa": "http://www.alexa.com/siteinfo/eleveratech.com", "indicator": "eleveratech.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4160835409, "indicator": "eleveratech.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "694185965365f9d0b940ae57", "name": "React2Shell", "description": "CVE-2025-55182 (React2Shell) is a critical unauthenticated RCE vulnerability in the React Server Components (RSC) \"Flight\" protocol currently being widely exploited in the wild across several threat clusters, ranging from opportunistic cybercrime actors to China-nexus threat groups such as Earth Lamia and Jackpot Panda.", "modified": "2026-01-15T17:02:40.253000", "created": "2025-12-16T16:15:17.300000", "tags": [ "Earth Lamia", "Jackpot Panda", "China", "China-nexus", "React2Shell", "React", "C2", "CVE-2025-55182", "Next.js", "PeerBlight", "ZinFoq", "CowTunnel", "Kaiji", "SNOWLIGHT", "VSHELL", "XMRig", "COMPOOD", "MINOCAT", "Auto-color", "RCE", "EtherRAT", "CVE-2025-66478", "UNC5174", "Cobalt Strike", "KSwapDoor", "PRC", "RSC", "Noodle RAT", "Node.js" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt", "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182", "https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf", "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive", "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell", "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far", "https://www.cve.org/CVERecord?id=CVE-2025-55182", "https://nvd.nist.gov/vuln/detail/CVE-2025-55182", "https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/", "https://corelight.com/blog/react2shell" ], "public": 1, "adversary": "Earth Lamia / Jackpot Panda", "targeted_countries": [], "malware_families": [ { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "COMPOOD", "display_name": "COMPOOD", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "HISONIC", "display_name": "HISONIC", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "MINOCAT", "display_name": "MINOCAT", "target": null }, { "id": "PeerBlight", "display_name": "PeerBlight", "target": null }, { "id": "CowTunnel", "display_name": "CowTunnel", "target": null }, { "id": "ZinFoq", "display_name": "ZinFoq", "target": null }, { "id": "Kaiji", "display_name": "Kaiji", "target": null }, { "id": "Noodle RAT", "display_name": "Noodle RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "KSwapDoor", "display_name": "KSwapDoor", "target": null }, { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [ "Finance", "Logistics", "Retail", "Technology", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 68, "FileHash-SHA1": 76, "FileHash-SHA256": 89, "URL": 152, "hostname": 30, "YARA": 3 }, "indicator_count": 427, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182", "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell", "https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf", "Book1.csv", "https://corelight.com/blog/react2shell", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://www.cve.org/CVERecord?id=CVE-2025-55182", "https://nvd.nist.gov/vuln/detail/CVE-2025-55182", "https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/", "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far", "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Earth Lamia / Jackpot Panda", "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex" ], "malware_families": [ "Cobalt strike", "Zinfoq", "Noodle rat", "Xmrig", "Minocat", "Kaiji", "Peerblight", "Kswapdoor", "Cowtunnel", "Etherrat", "Vshell", "Snowlight", "Compood", "Hisonic" ], "industries": [ "Retail", "Technology", "Education", "Government", "Logistics", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "694185965365f9d0b940ae57", "name": "React2Shell", "description": "CVE-2025-55182 (React2Shell) is a critical unauthenticated RCE vulnerability in the React Server Components (RSC) \"Flight\" protocol currently being widely exploited in the wild across several threat clusters, ranging from opportunistic cybercrime actors to China-nexus threat groups such as Earth Lamia and Jackpot Panda.", "modified": "2026-01-15T17:02:40.253000", "created": "2025-12-16T16:15:17.300000", "tags": [ "Earth Lamia", "Jackpot Panda", "China", "China-nexus", "React2Shell", "React", "C2", "CVE-2025-55182", "Next.js", "PeerBlight", "ZinFoq", "CowTunnel", "Kaiji", "SNOWLIGHT", "VSHELL", "XMRig", "COMPOOD", "MINOCAT", "Auto-color", "RCE", "EtherRAT", "CVE-2025-66478", "UNC5174", "Cobalt Strike", "KSwapDoor", "PRC", "RSC", "Noodle RAT", "Node.js" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt", "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182", "https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf", "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive", "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell", "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far", "https://www.cve.org/CVERecord?id=CVE-2025-55182", "https://nvd.nist.gov/vuln/detail/CVE-2025-55182", "https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/", "https://corelight.com/blog/react2shell" ], "public": 1, "adversary": "Earth Lamia / Jackpot Panda", "targeted_countries": [], "malware_families": [ { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "COMPOOD", "display_name": "COMPOOD", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "HISONIC", "display_name": "HISONIC", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "MINOCAT", "display_name": "MINOCAT", "target": null }, { "id": "PeerBlight", "display_name": "PeerBlight", "target": null }, { "id": "CowTunnel", "display_name": "CowTunnel", "target": null }, { "id": "ZinFoq", "display_name": "ZinFoq", "target": null }, { "id": "Kaiji", "display_name": "Kaiji", "target": null }, { "id": "Noodle RAT", "display_name": "Noodle RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "KSwapDoor", "display_name": "KSwapDoor", "target": null }, { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [ "Finance", "Logistics", "Retail", "Technology", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 68, "FileHash-SHA1": 76, "FileHash-SHA256": 89, "URL": 152, "hostname": 30, "YARA": 3 }, "indicator_count": 427, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "eleveratech.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "eleveratech.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780222989.73687 }