Since December 2025, a concerning trend has emerged across Japanese organizations as attackers exploit a critical vulnerability in React\/Next.js applications.<\/p>\n
The vulnerability, tracked as CVE-2025-55182 and known as React2Shell, represents a remote code execution flaw attracting widespread exploitation.<\/p>\n
While initial attacks primarily deployed cryptocurrency miners<\/a>, security researchers uncovered more sophisticated threats targeting network infrastructure through a previously unknown malware called ZnDoor.<\/p>\n The emergence of ZnDoor marked a significant escalation in these attacks. This remote access trojan demonstrates advanced capabilities far beyond simple mining operations.<\/p>\n Evidence suggests ZnDoor has been active since at least December 2023, quietly establishing its presence in targeted environments.<\/p>\n The malware\u2019s sophisticated architecture indicates careful development and strategic deployment against network devices, making it a serious concern for enterprise security teams.<\/p>\n NTT Security analysts identified<\/a> ZnDoor through detailed forensic analysis of compromised systems.<\/p>\n Their investigation revealed a coordinated attack chain beginning with React2Shell exploitation and culminating in persistent backdoor access through ZnDoor deployment.<\/p>\n The infection mechanism follows a straightforward yet effective pathway. Attackers exploit React2Shell to execute a shell command that downloads and runs ZnDoor from external servers at 45.76.155.14.<\/p>\n The command executes via \/bin\/sh and immediately establishes communication with the command and control server at api.qtss.cc:443.<\/p>\n Configuration details, including the C2 address and port, are encrypted using AES-CBC encryption after Base64 decoding, protecting the malware\u2019s communication infrastructure from casual inspection.<\/p>\n ZnDoor operates as a fully featured remote access trojan with comprehensive system control capabilities. The malware<\/a> continuously beacons to its C2 server every second, transmitting system information including network addresses, hostname, username, and process identifiers through HTTP POST requests.<\/p>\n This persistent communication enables attackers to send commands for file operations, shell execution, system enumeration, and SOCKS5 proxy activation.<\/p>\n The command structure employs double-hash delimiters to parse instructions, supporting operations like interactive shell spawning, directory listing, file manipulation, and network tunneling<\/a>.<\/p>\n Detection evasion represents a critical aspect of ZnDoor\u2019s design. The malware implements process name spoofing to masquerade as legitimate system processes, making identification difficult through conventional monitoring.<\/p>\n Additionally, it modifies file timestamps to January 15, 2016, attempting to evade forensic investigations.<\/p>\n The malware executes self-restart mechanisms using child processes, complicating analysis efforts. These sophisticated evasion tactics underscore the advanced nature of this threat and highlight the importance of behavioral monitoring.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post ZnDoor Malware Exploiting React2Shell Vulnerability to Compromise Network Devices<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhIgsZH3NMDmz6y0fC7oeUq-36hsjpZt2ChgxX2SdAHydcgCCe_vUg41coInjGK-J_wge-O2FZ8uQKD7XgEhz1IukRdfL2goS0F0hUJYkGRWxPT-cOyml46ijlUW5EBcEVvX2Yi6BZ8wPXZTQfj8o41Vyz6o6nVpquhr0ueWOdRInytjAqNHzDm_0v_750\/s16000\/Attack%2520flow%2520%28Source%2520-%2520NTT%2520Security%29.webp?ssl=1\")
Infection Mechanism and Command and Control Operations<\/strong><\/h2>\n