A critical remote code execution vulnerability recently discovered in widely used React and Next.js applications has become the gateway for a sophisticated cyber offensive, with attackers actively targeting Japanese organizations since December 2025. This flaw, designated CVE-2025-55182 and colloquially named React2Shell, marks a significant escalation in the threat landscape. Previously, similar exploits were often used to deploy relatively simple cryptocurrency miners, but the current campaign has unleashed a far more dangerous and previously unknown malware. Named ZnDoor, this new payload is a full-featured backdoor designed for long-term system compromise, data exfiltration, and persistent access. Its emergence signals a strategic shift by threat actors, who are now leveraging common web development frameworks to deploy enterprise-grade espionage tools, turning trusted application components into a launchpad for deep network intrusion and control. The calculated nature of this campaign suggests a well-resourced adversary with clear objectives beyond opportunistic financial gain.
The Anatomy of an Advanced Cyberattack
The attack chain begins with the methodical exploitation of the React2Shell vulnerability, which allows adversaries to execute an arbitrary shell command on a vulnerable server. According to detailed analysis, this initial access is used to run a command that downloads the primary ZnDoor payload from a hardcoded external server located at the IP address 45.76.155.14. Once executed on the compromised system, the malware wastes no time establishing a persistent channel to its command and control (C2) infrastructure, which resides at api.qtss.cc over port 443. To protect its operational resilience and evade network-based detection, the malware’s core configuration details, including the C2 address, are securely encrypted using the AES-CBC cipher. While these attacks have only recently been observed in the wild, forensic evidence indicates that the ZnDoor malware has been in active development since at least December 2023, pointing to a lengthy and deliberate preparation phase by its operators before its widespread deployment in the current campaign.
Once installed, ZnDoor operates as a highly capable remote access trojan (RAT), providing its operators with comprehensive control over the infected device. Its primary function is to maintain constant contact with the C2 server, sending a beacon every second via an HTTP POST request. These frequent check-ins are not merely for status updates; they also transmit a detailed telemetry package containing sensitive system information. This data includes the device’s network addresses, its hostname, the current username, and a list of active process IDs, giving the attackers a real-time snapshot of the compromised environment. In response to these beacons, the C2 server can issue a wide array of commands to be executed by the malware. These directives range from basic file operations, such as uploading or downloading files, to extensive system enumeration for reconnaissance. Furthermore, the operators can launch an interactive shell for direct command-line access or activate a built-in SOCKS5 proxy, enabling them to tunnel their network traffic through the victim’s machine to pivot deeper into the internal network.
A Masterclass in Evasion and Persistence
A core design philosophy of the ZnDoor malware is its emphasis on stealth and its ability to operate undetected for extended periods. To achieve this, it employs several advanced evasion techniques aimed at defeating both automated security tools and human analysts. One of its primary methods is process name spoofing, where the malware renames its own process to mimic a legitimate and commonly found system service. This allows it to blend in with normal system activity, making it exceptionally difficult to identify in a list of running processes through conventional monitoring. Further complicating forensic efforts, ZnDoor actively modifies its own file timestamps, resetting them to a fixed date in the past: January 15, 2016. This clever trick is designed to mislead investigators, making the malicious file appear as though it has been on the system for years and is unrelated to any recent security incident, thereby diverting attention away from the true point of compromise.
Beyond its stealth capabilities, ZnDoor is engineered for robust persistence, ensuring its continued operation even if discovered and partially remediated. The malware implements a sophisticated self-restart mechanism that relies on the creation of child processes. If the main ZnDoor process is terminated by a system administrator or an automated security tool, a designated child process is programmed to immediately relaunch it, effectively restoring the backdoor within moments. This multi-process architecture complicates both analysis and removal, as security teams must successfully identify and terminate the entire process tree simultaneously to eradicate the threat. This combination of stealthy operation and resilient persistence makes ZnDoor a formidable challenge for network defenders. It is not a tool for a quick smash-and-grab attack but a weapon built for long-term occupation, providing attackers with a reliable and difficult-to-remove foothold within a compromised enterprise network.
Reflecting on the Aftermath and Future Defenses
The emergence of the ZnDoor campaign, facilitated by the React2Shell vulnerability, highlighted a critical and dangerous intersection of ubiquitous software dependencies and the evolving sophistication of threat actors. The incident served as a stark reminder that even the most trusted and widely adopted development frameworks could be weaponized, turning a foundational technology of the modern web into a potent attack vector. For the organizations targeted, the attack underscored the necessity of a multi-layered defense strategy that went beyond simple perimeter security. The immediate response required diligent patching of all vulnerable React and Next.js applications, but the long-term lessons were far more profound. This campaign prompted a broader re-evaluation of security postures, pushing the industry toward more aggressive proactive threat hunting and enhanced network monitoring designed to detect subtle indicators of compromise, such as the unusual, high-frequency C2 beaconing exhibited by the malware. It ultimately reinforced the idea that security could no longer be an afterthought in the software development lifecycle.