Beyond the Shell: Critical React2Shell Exploit Hits Japan to Deploy Stealthy ZnDoor RAT
Since early December 2025, SOC teams in Japan have been observing a wave of attacks exploiting React2Shell (CVE-2025-55182)—a remote code execution vulnerability in React/Next.js that already has a public proof of concept and is now being abused at scale against web services. In many incidents, attackers deploy familiar payloads such as cryptocurrency miners, but in a number of cases analysts encountered an unfamiliar piece of malware that has been dubbed ZnDoor.
According to observations by NTT Security, ZnDoor may have been in use since at least December 2023 and appears contextually linked to campaigns exploiting vulnerabilities in network infrastructure. In attacks detected within Japanese enterprises, the intrusion chain begins with React2Shell: once exploitation succeeds, a command is executed on the server to download and launch ZnDoor. Notably, in these cases the distribution server for the sample and the command-and-control endpoint were one and the same, with the malware initiating communication with its control infrastructure immediately after execution.
ZnDoor’s configuration is embedded directly in the code and extracted via Base64 decoding followed by AES-CBC decryption. It contains the address api.qtss[.]cc and port 443, which the malware uses to construct its C2 URL. Requests are disguised as ordinary web traffic, targeting the path /en/about with parameters such as source=redhat and varying id values, including “versioned” strings like v1.0 and v1.1 as well as long numeric identifiers.
This is followed by a steady “beaconing” phase: the sample collects system information, packages it into JSON, and sends it to the C2 via HTTP POST every second, spoofing a Safari User-Agent. Among the transmitted data are local IP addresses, a string containing host and version details, and a victim token generated using the xid library and then hashed with MD5. If the server responds with ERROR, the malware pauses and retries transmission up to ten times.
Functionally, ZnDoor resembles a full-featured remote access trojan. On instructions from the C2, it can execute shell commands, spawn an interactive shell, browse directories, read and delete files, transfer files in both directions, collect system information, modify file timestamps, launch a SOCKS5 proxy, and configure port forwarding. Command execution results are serialized and returned over the same HTTP POST channel, with parameters in command strings separated by the sequence ##.
Researchers place particular emphasis on ZnDoor’s evasion techniques. The malware can repeatedly restart itself via /proc/self/exe while preserving standard input and output, complicating live behavioral analysis and making targeted termination by PID more difficult.
In parallel, it alters its process name and forcibly resets its own timestamps to a fixed value—2016-01-15 15:08:25.7450580—potentially hindering forensic analysis and reducing visibility in checks that focus on “recent” artifacts. SOC teams stress that cases of React2Shell exploitation followed by ZnDoor deployment have already been observed in Japanese companies, and that attempts leveraging this vulnerability should be treated as a persistent threat rather than an isolated outbreak.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
