Threat actors are actively exploiting a critical security vulnerability known as React2Shell to deliver sophisticated malware families such as KSwapDoor and ZnDoor, according to new findings from Palo Alto Networks Unit 42 and NTT Security.
KSwapDoor is a remote access tool for Linux that builds an internal mesh network that allows compromised servers to communicate with one another while evading security controls. The malware uses military-grade encryption and includes a “sleeper” mode that enables attackers to bypass firewalls by activating it with a hidden signal. Previously mistaken as BPFDoor, KSwapDoor impersonates a legitimate Linux kernel swap daemon and supports interactive shell access, command execution, file operations, and lateral movement scanning.
NTT Security reported that organizations in Japan are being targeted via React2Shell exploits to deploy ZnDoor, a remote access trojan observed in the wild since December 2023. The attacks typically involve executing a bash command to download the payload using wget, after which the malware connects to attacker-controlled infrastructure to receive and execute commands.
Google’s threat analysis team said that at least five Chinese state-sponsored threat groups have been seen exploiting React2Shell (CVE-2025-55182) to deploy various malware families, including the PeerBlight Linux backdoor, the CowTunnel reverse-proxy tunnel, the Go-based ZinFoq implant, and a Kaiji botnet variant.
According to Microsoft’s advisory detailing CVE-2025-55182, attackers are abusing the flaw to achieve remote code execution in applications using React Server Components. Observed post-exploitation activity includes setting up reverse shells to known Cobalt Strike servers, deploying remote monitoring and management tools such as MeshAgent, modifying SSH authorized_keys files, and enabling root login. Microsoft said several hundred systems across diverse organizations have been compromised using tactics commonly associated with web application RCE.
Researchers also observed attackers deploying additional payloads, including VShell, EtherRAT, SNOWLIGHT, ShadowPad, and the XMRig cryptominer. Stolen credentials targeted cloud environments across Azure, AWS, Google Cloud, and Tencent Cloud, with attackers harvesting identity tokens, API keys, Kubernetes service-account credentials, and other secrets using tools like TruffleHog and Gitleaks.