React2shell Vulnerability Actively Exploited To Deploy Linux Backdoors

The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security.

"KSwapDoor is a professionally engineered remote access tool designed with stealth in mind," Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement.

"It builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks. It uses military-grade encryption to hide its communications and, most alarmingly, features a 'sleeper' mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal."

The cybersecurity company noted that it was previously mistakenly classified as BPFDoor, adding that the Linux backdoor offers interactive shell, command execution, file operations and lateral movement scanning capabilities. It also impersonates a legitimate Linux kernel swap daemon to evade detection.

In a related development, NTT Security said organizations in Japan are being targeted by cyber attacks exploiting React2Shell to deploy ZnDoor, a malware that's been assessed to be detected in the wild since December 2023. The attack chains involve running a bash command to fetch the payload from a remote server (45.76.155[.]14) using wget and executing it.

A remote access trojan, it contacts the same threat actor-controlled infrastructure to receive commands and execute them on the host. Some of the supported commands are listed below -

The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, Google identifying at least five China-nexus groups that have weaponized to deliver an array of payloads -

Microsoft, in its own advisory for CVE-2025-55182, said threat actors have taken advantage of the flaw to run arbitrary commands for post-exploitation, including setting up reverse shells to known Cobalt Strike servers, and then dropping remote monitoring and management (RMM) tools such as MeshAgent, modifying the authorized_keys file, and enabling root login.

Some of the payloads delivered in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. The attacks are also characterized by the use of Cloudflare Tunnel endpoints ("*.trycloudflare.com") to evade security defenses, as well as conducting reconnaissance of the compromised environments to f

Source: The Hacker News