According to findings from Palo Alto Networks Unit 42 and NTT Security, a security vulnerability known as React2Shell is being exploited by threat actors to distribute malware families such as KSwapDoor and ZnDoor.
“KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,” Justin Moore, senior manager of threat intelligence research at Palo Alto Networks Unit 42, said in a statement.
“It builds an internal mesh network, allowing compromised servers to communicate with each other and bypass security blocks. It uses military-grade encryption to hide communications, and most surprisingly, it features a ‘sleeper’ mode that allows attackers to wake up the malware with secret, invisible signals and bypass firewalls.”
The cybersecurity firm noted that it was previously incorrectly classified as BPFDoor, adding that the Linux backdoor provides an interactive shell, command execution, file manipulation, and lateral movement scanning capabilities. It also impersonates a legitimate Linux kernel swap daemon to evade detection.
In a related development, NTT Security said Japanese organizations are being targeted by cyberattacks that exploit React2Shell to deploy malware ZnDoor, which is assessed to have been detected in the wild since December 2023. The attack chain involves running a bash command that retrieves the payload from a remote server (45.76.155).[.]14) Execute using wget.
Remote access Trojans connect to the same attacker-controlled infrastructure to receive commands and execute them on the host. Some of the supported commands are listed below.
shell, run a command, interactive_shell, start an interactive shell, explorer_cat, get a list of directories, explorer_cat, read and display files, explorer_delete, delete files, explorer_upload, download files from the server explorer_download, sends the file to the server system, collects system information, change_timefile, changes the file timestamp, socket_quick_startstreams, starts the SOCKS5 proxy start_in_port_forward, starts port forwarding stop_in_port, stop port forwarding
The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), is being exploited by multiple attackers, and Google has identified at least five China-linked groups that have weaponized it to deliver a range of payloads.
UNC6600 Distributes a tunneling utility called MINOCAT UNC6586 Distributes a downloader called SNOWLIGHT UNC6588 Distributes a backdoor called COMPOOD UNC6603 Uses Cloudflare Pages and GitLab to retrieve encrypted configuration and blend it with legitimate network activity Distributes an updated version of a Go backdoor called HISONIC UNC6595 Distributes a Linux version of Rat delivering ANGRYREBEL (also known as Noodle)
Microsoft said in its own advisory for CVE-2025-55182 that attackers are using this flaw to execute arbitrary post-exploitation commands, including setting up a reverse shell on known Cobalt Strike servers, dropping remote monitoring and management (RMM) tools such as MeshAgent, modifying the authorized_keys file, and enabling root login.
Payloads delivered in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. This attack also features the use of Cloudflare tunnel endpoints (‘*.trycloudflare.com’) to evade security defenses, as well as reconnaissance of the compromised environment to facilitate lateral movement and credential theft.
According to the Windows maker, this credential harvesting campaign targeted Azure Instance Metadata Service (IMDS) endpoints in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud, with the ultimate goal of obtaining ID tokens to penetrate deeper into cloud infrastructure.
“The attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, as well as custom scripts to extract several different secrets,” the Microsoft Defender security research team said. “We also observed attempts to harvest AI and cloud-native credentials, including OpenAI API keys, Databricks tokens, and Kubernetes service account credentials. Azure command line interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.”
In another campaign detailed by Beelzebub, attackers were observed exploiting flaws in Next.js, including CVE-2025-29927 and CVE-2025-66478 (the same React2Shell bug before being rejected as a duplicate), allowing for systematic exfiltration of credentials and sensitive data.
.env, .env.local, .env.production, .env.development System environment variables (printenv, env) SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, /root/.ssh/*) Cloud credentials (~/.aws/credentials, ~/.docker/config.json Git credentials) (~/.git-credentials, ~/.gitconfig) Command history (Latest 100 commands in ~/.bash_history) System files (/etc/shadow, /etc/passwd)
The malware also creates persistence on the host to survive system reboots, installs a SOCKS5 proxy, and establishes a reverse shell to ‘67.217.57’.[.]240:888” and install the React scanner to scour the internet for further propagation.
The campaign, codenamed “Operation PCPcat,” is estimated to have already compromised 59,128 servers. “This campaign shows the characteristics of a large-scale espionage operation and data exfiltration on an industrial scale,” the Italian company said.
The Shadowserver Foundation currently tracks more than 111,000 IP addresses vulnerable to React2Shell attacks, with more than 77,800 in the United States, followed by Germany (7,500), France (4,000), and India (2,300). According to data from GreyNoise, 547 malicious IP addresses from the US, India, UK, Singapore, and the Netherlands were found participating in exploitative activities in the past 24 hours.
Source link
