According to research from Palo Alto Networks Unit 42 and NTT Security, threat actors are using the security flaw known as React2Shell to spread malware families including KSwapDoor and ZnDoor.
“KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,”
Justin Moore, Senior Manager of threat intel research at Palo Alto Networks Unit 42, stated.
“It builds an internal mesh network, allowing compromised servers to talk to each other and evade security blocks. It uses military-grade encryption to hide its communications and, most alarmingly, features a ‘sleeper’ mode that lets attackers bypass firewalls by waking the malware up with a secret, invisible signal.”
The Linux backdoor has interactive shell, command execution, file operations, and lateral movement scanning capabilities, according to the cybersecurity firm, which also pointed out that it was previously incorrectly categorized as BPFDoor. To avoid discovery, it also poses as a genuine Linux kernel swap daemon.
In a similar development, NTT Security reported that cyberattacks targeting Japanese firms are using React2Shell to install ZnDoor, a malware that has been identified in the wild since December 2023. The attack chains entail executing a bash command that uses wget to retrieve the payload from a remote server (45.76.155.14).
According to Microsoft’s own advisory for CVE-2025-55182, threat actors have used the vulnerability to run arbitrary commands for post-exploitation, such as dropping remote monitoring and management (RMM) tools like MeshAgent, changing the authorized_keys file, and enabling root login, after setting up reverse shells to known Cobalt Strike servers.
VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig are a few of the payloads used in these assaults. The use of Cloudflare Tunnel endpoints (“*.trycloudflare.com”) to circumvent security measures and reconnaissance of the compromised environments to enable lateral movement and credential theft are other characteristics of the attacks.
