React2Shell Exploits Fuel Surge in Linux Backdoors

React2Shell Exploits Fuel Surge in Linux Backdoors
December 16, 2025 at 12:00 AM

A critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) is being actively weaponized to deploy advanced Linux backdoors, notably KSwapDoor and ZnDoor, according to Palo Alto Networks Unit 42, NTT Security, Google, and Microsoft.

Inside KSwapDoor

  • Professionally engineered RAT focused on stealth
  • Builds a peer-to-peer mesh to route traffic across compromised servers and evade blocks
  • Uses strong encryption and a sleeper mode that can be remotely awakened to bypass firewalls
  • Likely linked to China-nexus actors based on code overlap with prior Linux backdoors
  • Limited, targeted deployment consistent with bespoke tooling
  • Capabilities: interactive shell, command execution, file and process operations, lateral-movement scanning
  • Evasion: masquerades as the Linux kernel swap daemon
  • Initially misclassified as BPFDoor due to raw socket sniffing; in KSwapDoor this is a dormant backup, while its main engine is a P2P router (a capability BPFDoor lacks)

ZnDoor hits organizations in Japan

  • Delivered through React2Shell exploitation, with payloads fetched via bash and wget from 45.76.155[.]14
  • Operates as a remote access trojan that receives and executes attacker commands
  • Supported commands include:
    • shell and interactive_shell
    • explorer (list directories), explorer_cat (read file), explorer_delete (delete), explorer_upload/download (file transfer)
    • system (gather system info)
    • change_timefile (alter file timestamps)
    • socket_quick_startstreams (start SOCKS5 proxy)
    • start_in_port_forward / stop_in_port (port forwarding control)

Broader exploitation at scale

  • Google observed multiple China-nexus groups abusing CVE-2025-55182 to deploy varied payloads:
    • UNC6600: MINOCAT tunneler
    • UNC6586: SNOWLIGHT downloader
    • UNC6588: COMPOOD backdoor
    • UNC6603: HISONIC (Go backdoor) using Cloudflare Pages and GitLab for config retrieval
    • UNC6595: Linux ANGRYREBEL (aka Noodle RAT)
  • Microsoft reports post-exploitation includes reverse shells to known Cobalt Strike servers, installation of RMM tools like MeshAgent, modifying authorized_keys, and enabling root login
  • Payloads seen: VShell, EtherRAT, SNOWLIGHT, ShadowPad, XMRig
  • Operators are leveraging Cloudflare Tunnel endpoints (*.trycloudflare.com) to blend in, while mapping environments for lateral movement and credential theft

Cloud and secrets theft

  • Credential harvesting focused on Azure, AWS, GCP, and Tencent Cloud by abusing cloud Instance Metadata Service (IMDS) endpoints to obtain identity tokens
  • Attackers used TruffleHog, Gitleaks, and custom scripts to extract secrets
  • Attempts included harvesting OpenAI API keys, Databricks tokens, and Kubernetes service-account credentials, plus use of Azure CLI (az) and Azure Developer CLI (azd) to obtain tokens

Operation PCPcat: Next.js exploitation

  • Separate campaign exploits Next.js flaws (CVE-2025-29927 and CVE-2025-66478, the latter a React2Shell duplicate) to systematically exfiltrate:
    • .env files (.env, .env.local, .env.production, .env.development)
    • System environment variables
    • SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, /root/.ssh/*)
    • Cloud credentials (~/.aws/credentials, ~/.docker/config.json)
    • Git credentials (~/.git-credentials, ~/.gitconfig)
    • Command history (~/.bash_history)
    • Sensitive system files (/etc/shadow, /etc/passwd)
  • Persistence established, SOCKS5 proxy installed, reverse shell to 67.217.57[.]240:888, and a React scanner deployed for further propagation
  • Estimated 59,128 servers already breached; activity suggests industrial-scale data exfiltration

Exposure snapshot

  • Shadowserver tracks over 111,000 IPs vulnerable to React2Shell, with the U.S. leading (~77,800), followed by Germany (~7,500), France (~4,000), and India (~2,300)
  • GreyNoise observed 547 malicious IPs across the U.S., India, the U.K., Singapore, and the Netherlands in the past 24 hours

Defender considerations

  • Patch and mitigate CVE-2025-55182 urgently; review Next.js deployments for related issues
  • Monitor for unusual egress, Cloudflare Tunnel usage, and peer-to-peer traffic patterns
  • Audit IMDS access, rotate credentials, and scan for leaked secrets in code and CI/CD
  • Hunt for masquerading processes (e.g., fake swap daemons) and anomalous SSH key changes

Note: The report was updated to include additional technical details on KSwapDoor.

Source: The Hacker News

Backā€¦