React2Shell Vulnerability Exploited By Chinese Hackers To Deploy Linux Backdoors

2

The React2Shell vulnerability exploited by Chinese nation-state actors has become one of 2025’s most critical security threats, with sophisticated Linux backdoors including KSwapDoor and ZnDoor deployed across global networks.

Palo Alto Networks Unit 42 and NTT Security researchers confirmed widespread exploitation targeting organizations in multiple regions. The vulnerability carries a maximum CVSS 10.0 severity rating, enabling attackers to gain complete system access and establish persistent footholds within compromised infrastructure.

Google identified at least five distinct Chinese nation-state groups weaponizing the flaw, distributing various malware payloads. The campaigns demonstrate advanced tactics including military-grade encryption, peer-to-peer networking capabilities, and sophisticated stealth mechanisms designed to evade traditional security controls. Over 111,000 IP addresses remain vulnerable worldwide, with the United States accounting for approximately 70% of exposed systems.

Exploitation activity extends beyond malware deployment to encompass credential harvesting, cloud infrastructure infiltration, and systematic data exfiltration at industrial scale. Threat actors demonstrated particular interest in targeting Azure, AWS, and Google Cloud environments, alongside artificial intelligence credentials including OpenAI API keys and Databricks tokens.

React2Shell Vulnerability Exploited: What You Need to Know

• Attackers exploit React2Shell to deploy sophisticated backdoors, steal cloud credentials, and establish persistent access globally.

Understanding the React2Shell Security Flaw

CVE-2025-55182, formally designated as React2Shell, represents a critical security weakness allowing remote attackers to execute arbitrary commands on vulnerable systems without authentication.

With a CVSS score of 10.0, this flaw achieves maximum severity rating, indicating catastrophic potential impact to confidentiality, integrity, and availability. The vulnerability primarily affects Next.js applications, enabling threat actors to exploit web application frameworks at their foundation.

Security researchers initially identified multiple variations, including what was temporarily designated CVE-2025-66478 before being recognized as a duplicate. The exploitation mechanism allows attackers to bypass authentication controls entirely, granting immediate administrative access to target systems.

Once inside, adversaries deploy additional payloads, modify system configurations, and establish multiple persistence mechanisms to survive system reboots and security sweeps.

The widespread deployment of vulnerable applications created an enormous attack surface spanning thousands of organizations globally.

The Shadowserver Foundation tracks over 111,000 exposed IP addresses, with concentrations in the United States (77,800), Germany (7,500), France (4,000), and India (2,300).

Security telemetry from GreyNoise indicates 547 malicious IP addresses actively participating in exploitation attempts within a 24-hour observation period, demonstrating sustained attacker interest.

KSwapDoor Linux Backdoor: Advanced Threat Engineering

KSwapDoor represents a professionally engineered remote access tool, distinguishing itself through sophisticated design choices prioritizing stealth and resilience.

Justin Moore, senior manager of threat intelligence research at Palo Alto Networks Unit 42, reported the backdoor builds an internal mesh network allowing compromised servers to communicate laterally without exposing traditional network indicators.

This peer-to-peer architecture enables attackers to maintain operational capabilities even when direct command-and-control channels face blocking or monitoring.

The malware employs military-grade encryption protocols to conceal communications from network security appliances and intrusion detection systems. KSwapDoor features a dormant sleeper mode permitting attackers to bypass firewall restrictions by activating the malware using covert signals invisible to conventional security monitoring.

The backdoor impersonates legitimate Linux kernel swap daemon processes, blending malicious activity with expected system operations to frustrate detection efforts.

Initial classification challenges arose when researchers mistakenly identified KSwapDoor as BPFDoor, an established backdoor family. Both malware strains utilize raw socket sniffing techniques to monitor network traffic without opening visible listening ports. Subsequent analysis revealed fundamental architectural differences.

While BPFDoor focuses on packet sniffing for command reception, KSwapDoor incorporates this capability merely as a backup entry method alongside its primary peer-to-peer routing engine that facilitates complex lateral movement scenarios.

KSwapDoor Capabilities and Functionality

The backdoor provides threat actors with comprehensive system control through interactive shell access, enabling real-time command execution as though physically present at the console.

File operation capabilities permit unrestricted reading, writing, modification, and deletion of system files, including sensitive configuration data and security logs. The lateral movement scanning functionality automates the identification of adjacent vulnerable systems, accelerating network compromise.

Attribution evidence points toward Chinese nation-state actors based on code structure analysis, functional overlaps with previously identified Chinese malware families, and operational patterns consistent with state-sponsored campaigns.

Moore noted the limited deployment footprint aligns with sophisticated custom-engineered tools reserved for precise, high-value targeting rather than widespread distribution that might expose capabilities to security researchers.

ZnDoor Malware Targets Japanese Organizations

NTT Security researchers documented active campaigns exploiting the React2Shell vulnerability exploited by threat actors to deploy ZnDoor, a remote access trojan first detected in December 2023.

The malware specifically targets Japanese organizations through attack chain, executing bash commands, fetching payloads from remote servers using wget utilities. Upon successful deployment, ZnDoor establishes persistent command-and-control communications with attacker infrastructure at IP address 45.76.155[.]14.

The trojan supports extensive command functionality enabling comprehensive system manipulation. The shell command executes arbitrary system commands, while interactive_shell launches persistent terminal sessions providing real-time access.

File system operations include explorer for directory enumeration, explorer_cat for reading file contents, explorer_delete for removing files, and bidirectional transfer capabilities through explorer_upload and explorer_download commands.

System reconnaissance capabilities gather detailed information about compromised hosts through the system command, while change_timefile permits timestamp manipulation to frustrate forensic investigations.

Network pivoting functionality includes socket_quick_startstreams for establishing SOCKS5 proxy servers, alongside start_in_port_forward and stop_in_port commands for configuring port forwarding to facilitate access to network segments otherwise isolated from external connections.

Multiple Threat Groups Deploy Diverse Payloads

Google’s threat intelligence teams identified at least five distinct China-nexus groups weaponizing the React2Shell vulnerability exploited for various strategic objectives. UNC6600 deploys MINOCAT, a tunneling utility establishing covert communication channels through restrictive network environments.

UNC6586 utilizes SNOWLIGHT, a downloader component fetching additional malware stages from attacker infrastructure while evading signature-based detection through polymorphic techniques.

UNC6588 delivers COMPOOD backdoor, providing comprehensive remote access capabilities similar to other families but with distinct code signatures and operational patterns.

UNC6603 distributes an updated version of HISONIC, a Go-based backdoor leveraging Cloudflare Pages and GitLab infrastructure to retrieve encrypted configuration data.

This technique blends malicious traffic with legitimate content delivery network activity, complicating network-based detection efforts and incident response investigations.

UNC6595 deploys a Linux-adapted version of ANGRYREBEL, also known as Noodle RAT, demonstrating cross-platform capability development within adversary toolsets. Microsoft’s analysis identified additional payloads including VShell, EtherRAT, ShadowPad, and cryptocurrency mining malware XMRig.

The diversity of deployed tools reflects different adversary objectives spanning espionage, financial gain, and long-term persistent access establishment.

Post-Exploitation Techniques and Infrastructure

Threat actors consistently establish reverse shells connecting to known Cobalt Strike servers, providing interactive access for manual operations and advanced post-exploitation activities.

Remote monitoring and management tools such as MeshAgent appear frequently in compromised environments, offering attackers legitimate administrative capabilities that blend with sanctioned IT operations.

Adversaries routinely modify authorized_keys files to establish SSH access independent of original entry vectors, while enabling root login capabilities that might otherwise face restrictions.

Cloudflare Tunnel endpoints featuring the “*.trycloudflare.com” domain pattern provide attackers with encrypted communication channels bypassing traditional network security controls.

The temporary nature of these endpoints complicates blocking efforts, as addresses rotate frequently while maintaining operational continuity. Reconnaissance activities systematically map compromised environments, identifying valuable data repositories, additional vulnerable systems, and pathways for credential theft.

Cloud Infrastructure and AI Credential Targeting

Credential harvesting operations demonstrate a sophisticated understanding of cloud architecture and modern development practices. Attackers systematically target Azure Instance Metadata Service endpoints across multiple cloud providers, including AWS, Google Cloud Platform, and Tencent Cloud.

These services provide virtual machines with identity tokens and configuration data essential for cloud resource access. Compromising these credentials grants adversaries the ability to impersonate legitimate workloads, accessing data storage, computing resources, and management interfaces.

Secret discovery tools including TruffleHog and Gitleaks automate the identification of credentials accidentally committed to code repositories or configuration files. These utilities scan vast codebases identifying patterns matching API keys, passwords, and authentication tokens that developers inadvertently expose.

Custom scripts extend detection capabilities, targeting specific secret formats unique to particular organizations or technologies.

Artificial intelligence credential theft represents an emerging priority for threat actors. OpenAI API keys grant access to language model capabilities potentially used for automated operations or sold on underground markets.

Databricks tokens provide access to analytics platforms containing sensitive business intelligence and customer data. Kubernetes service account credentials enable container orchestration manipulation, potentially compromising entire application clusters.

Azure Command-Line Interface and Azure Developer CLI tools facilitate token acquisition through legitimate management interfaces subverted for malicious purposes.

Operation PCPcat: Industrial-Scale Data Exfiltration

Security researchers at Beelzebub documented a campaign designated Operation PCPcat, demonstrating systematic credential and sensitive data extraction across 59,128 compromised servers.

The operation targets environment variable files including .env, .env.local, .env.production, and .env.development that commonly contain database credentials, API keys, and service authentication secrets. System environment variables retrieved through printenv and env commands expose additional configuration details and operational parameters.

SSH private keys stored in ~/.ssh/id_rsa, ~/.ssh/id_ed25519, and /root/.ssh/* directories grant attackers passwordless authentication to additional systems across organizational networks. Cloud credentials found in ~/.aws/credentials and ~/.docker/config.json files provide access to infrastructure resources beyond initially compromised systems.

Git credentials retrieved from ~/.git-credentials and ~/.gitconfig files enable source code repository access, potentially exposing intellectual property and additional secrets embedded within development projects.

Command history files, specifically the last 100 commands from ~/.bash_history, reveal operational patterns, administrative procedures, and potentially sensitive information typed directly into shells.

Critical system files, including /etc/shadow and /etc/passwd, grant attackers comprehensive user account information, facilitating privilege escalation and lateral movement.

The malware establishes persistence mechanisms surviving system reboots, installs SOCKS5 proxy capabilities for network pivoting, and creates reverse shells to IP address 67.217.57[.]240:888 for ongoing command-and-control communications.

React Scanner and Propagation Mechanisms

The campaign incorporates automated scanning functionality specifically designed to identify additional vulnerable React and Next.js applications across the internet.

This capability transforms compromised systems into scanning platforms, distributing reconnaissance activities across numerous source addresses to avoid rate limiting and detection.

The automated propagation mechanism enables exponential growth in compromised infrastructure as each victim becomes a launching point for subsequent attacks.

CVE-2025-55182 CVSS 10.0: Maximum Severity Implications

The assignment of a CVSS 10.0 score reflects complete compromise across all security dimensions.

Confidentiality impact reaches maximum severity as attackers gain unrestricted access to all system data, including customer information, intellectual property, and operational secrets. Integrity impact similarly achieves maximum rating through arbitrary code execution capabilities permitting wholesale system modification, data tampering, and backdoor installation.

Availability impact completes the trifecta as adversaries can deploy ransomware, destructive malware, or resource-exhausting cryptocurrency miners.

The vulnerability requires no authentication, eliminating the most common defensive barrier protecting network services. Attack complexity rates as low, indicating reliable exploitation without specialized knowledge or environmental conditions.

Network attack vector designation confirms remote exploitation capability without requiring local system access or user interaction. These characteristics combine to create a security nightmare for defensive teams.

Implications for Organizations and Security Teams

Advantages of Immediate Patching and Mitigation

Organizations that rapidly deploy patches and implement compensating controls dramatically reduce exposure to known exploitation techniques. Swift action prevents initial access, eliminating subsequent compromise stages, including persistence establishment, lateral movement, and data exfiltration.

Security teams gain breathing room to focus on hunting for existing compromises rather than continuously battling new intrusions through the same vulnerability.

Implementing comprehensive monitoring for indicators of compromise associated with the KSwapDoor Linux backdoor, ZnDoor, and related malware families enables early detection of successful breaches.

Network segmentation limits lateral movement capabilities even when perimeter defenses fail, containing compromise to isolated network zones.

Enhanced logging and security information and event management configuration provides visibility into post-exploitation activities, supporting forensic investigations and incident response efforts.

Challenges and Remediation Complexity

The sheer number of vulnerable systems complicates rapid remediation efforts, particularly for organizations managing extensive application portfolios across diverse environments.

Patching Next.js applications requires careful testing to prevent functional regressions that might disrupt business operations. Development teams must balance security urgency against operational stability, a tension that often delays protective action.

The sophisticated nature of deployed backdoors means that simply patching the initial vulnerability may not remove established attacker presence. Compromised systems require comprehensive forensic analysis, complete rebuilding, and verification before safely returning to production.

The resource intensity of thorough incident response strains security teams already operating with limited capacity and competing priorities.

Credential compromise poses particularly challenging remediation scenarios. Once attackers harvest cloud credentials, SSH keys, and API tokens, these secrets remain valid even after patching vulnerable systems.

Comprehensive credential rotation across potentially hundreds of services becomes necessary, a task that demands careful coordination to avoid operational disruption while ensuring security gaps close completely.

Protecting Organizations from React2Shell Exploitation

Organizations must immediately inventory all Next.js applications and associated infrastructure to identify vulnerable systems requiring remediation.

Automated vulnerability scanning tools can accelerate discovery, though manual verification remains necessary for comprehensive coverage.

Prioritization should emphasize internet-facing applications and systems processing sensitive data, though no vulnerable system should remain unpatched indefinitely, given the severity and active exploitation.

Security monitoring must incorporate indicators of compromise associated with known malware families deployed through React2Shell exploitation. Network traffic analysis should flag connections to identified command-and-control infrastructure, unusual Cloudflare Tunnel usage, and SOCKS5 proxy activity originating from application servers.

Endpoint detection and response tools should monitor for process impersonation techniques, unauthorized SSH key modifications, and credential access patterns consistent with the described attack techniques.

Incident response planning should account for the possibility of existing compromises predating patch deployment. Security teams need clear procedures for forensic analysis, system rebuilding, and verification testing.

Credential rotation procedures must address cloud provider credentials, SSH keys, API tokens, and any secrets potentially exposed during compromise windows. Engaging external incident response expertise may prove necessary for organizations lacking internal capacity to manage complex breach scenarios while maintaining operational continuity.

Questions Worth Answering

What is React2Shell and why is it dangerous?

• React2Shell refers to CVE-2025-55182, a critical vulnerability in Next.js applications with a maximum CVSS 10.0 severity score. It allows attackers to execute arbitrary commands remotely without authentication, leading to complete system compromise. The flaw is actively exploited by multiple Chinese nation-state groups deploying sophisticated backdoors.

How does the KSwapDoor Linux backdoor differ from other malware?

• The KSwapDoor Linux backdoor features a peer-to-peer mesh network architecture allowing compromised servers to communicate laterally, military-grade encryption, and a dormant sleeper mode activated by covert signals. It impersonates legitimate Linux kernel swap daemons and was initially misidentified as BPFDoor due to shared raw socket sniffing techniques.

Which organizations face the highest risk from React2Shell exploitation?

• Any organization running vulnerable Next.js applications faces risk, with over 111,000 exposed IP addresses identified globally. Japanese organizations face specific targeting by ZnDoor campaigns, while cloud-heavy environments using Azure, AWS, or Google Cloud Platform attract particular attention due to credential harvesting objectives.