Japanese organizations have become targets of a sophisticated cyberattack campaign leveraging a critical vulnerability in React/Next.js applications, known as React2Shell (CVE-2025-55182). Initially observed deploying cryptocurrency miners, the attacks have escalated, with a new malware called ZnDoor now being used to compromise network devices and establish persistent backdoor access. This development signifies a worrying trend in cyber threats, moving beyond opportunistic mining to more strategic network infiltration.
Security researchers from NTT Security identified the ZnDoor malware through detailed forensic analysis of compromised systems. The group’s investigation detailed a coordinated attack chain that begins with the exploitation of the React2Shell vulnerability, ultimately leading to the deployment of ZnDoor. Evidence suggests ZnDoor has been active since at least December 2023, quietly embedding itself within targeted network infrastructures.
ZnDoor Malware Exploiting React2Shell Vulnerability for Network Compromise
The React2Shell vulnerability (CVE-2025-55182) is a remote code execution flaw that attackers are actively exploiting in React/Next.js applications. This exploit allows malicious actors to execute arbitrary commands on affected servers. While initial exploitation was primarily focused on deploying cryptocurrency miners, the emergence of the ZnDoor malware indicates a significant escalation in the threat’s sophistication and objectives.
ZnDoor is a previously unknown remote access trojan (RAT) that demonstrates advanced capabilities designed for deep network infiltration. Its architecture suggests careful development and strategic deployment, targeting critical network infrastructure rather than merely disrupting operations. This makes it a significant concern for enterprise security teams facing persistent and stealthy threats.
Infection Mechanism and Command and Control Operations
The attack chain begins with the exploitation of the React2Shell vulnerability. Once accessed, attackers utilize the exploit to execute a shell command, typically via /bin/sh. This command is designed to download and run the ZnDoor malware from external servers, with observed C2 infrastructure including the IP address 45.76.155.14.
Following the download and execution of ZnDoor, the malware immediately establishes communication with its command and control (C2) server. The observed C2 address is api.qtss.cc, operating on port 443. Configuration details, including these C2 addresses and ports, are protected through AES-CBC encryption after Base64 decoding, making it more difficult for security analysts to immediately identify and block the malware’s communication channels.
ZnDoor functions as a fully-featured RAT, granting attackers comprehensive control over compromised systems. The malware exhibits persistent communication with its C2 server, sending HTTP POST requests every second. These requests transmit crucial system information, including network addresses, hostnames, usernames, and process identifiers. This constant telemetry allows attackers to monitor the compromised environment and remain hidden.
Attackers can leverage this persistent communication to send a wide range of commands to the infected devices. These commands include operations for file manipulation, shell execution, system enumeration, and the activation of SOCKS5 proxies. The command structure utilizes double-hash delimiters for parsing instructions, supporting interactive shell sessions, directory listings, file modifications, and network tunneling capabilities, which can be used to pivot further into the network.
Advanced Evasion Tactics Employed by ZnDoor
A critical aspect of ZnDoor’s design is its emphasis on detection evasion. To avoid discovery by security software and analysts, the malware employs several sophisticated techniques.
One notable tactic is process name spoofing. ZnDoor masquerades as legitimate system processes, making it challenging to identify through conventional process monitoring tools. This allows it to operate in the background without raising immediate suspicion.
Furthermore, ZnDoor manipulates file timestamps, setting them to January 15, 2016. This is a common tactic used by malware to make its files appear older and less likely to be flagged by heuristic or signature-based detection systems that may prioritize recently modified files.
The malware also utilizes self-restart mechanisms through child processes. This complicates analysis efforts, as terminating the main malware process might not fully eradicate the threat, with child processes capable of re-initiating or maintaining persistence. These advanced evasion techniques underscore the threat posed by ZnDoor and highlight the need for behavioral monitoring and advanced threat detection solutions.
The ongoing exploitation of the React2Shell vulnerability and the deployment of the ZnDoor malware present a significant challenge for Japanese organizations. The continuous evolution of these attack vectors suggests that cybersecurity teams must remain vigilant and adapt their defenses to counter these sophisticated threats. Further investigation into the full scope of ZnDoor’s capabilities and its potential impact on critical network infrastructure is ongoing.