Since December 2025, security operations centers have identified a rising threat targeting Japanese enterprises through the exploitation of React2Shell (CVE-2025-55182), a critical remote code execution vulnerability affecting React and Next.js applications.
While initial attacks primarily deployed cryptocurrency miners, researchers discovered a more dangerous payload a previously unknown malware family designated ZnDoor.
Evidence suggests this threat has been in circulation since at least December 2023 and is linked to network device compromises across multiple sectors.
ZnDoor represents a sophisticated Remote Access Trojan (RAT) capable of comprehensive system control and lateral movement.
The malware demonstrates advanced evasion techniques designed to evade detection mechanisms, forensic analysis, and traditional endpoint security solutions.
The discovery of ZnDoor’s active deployment in Japan signals a significant escalation in the threat landscape targeting infrastructure and business-critical systems.
Attack Chain and Exploitation Flow
The attack sequence begins with exploitation of the React2Shell vulnerability, which has already seen public proof-of-concept code released, enabling widespread victimization of exposed web services.
Initial compromise triggers command execution that downloads and executes ZnDoor from attacker-controlled infrastructure.
Once established, the malware communicates persistently with command-and-control (C2) servers hosted on the same infrastructure used for ZnDoor distribution.
Configuration data embedded within ZnDoor samples remains encrypted using AES-CBC encryption following Base64 encoding.
Analysis revealed hardcoded C2 infrastructure including the domain api.qtss[.]cc communicating over port 443.
The malware constructs C2 URLs using a consistent pattern incorporating parameters such as “source=redhat” and version identifiers, suggesting potential attempts to masquerade as legitimate traffic.
ZnDoor implements continuous communication with its C2 infrastructure, transmitting system reconnaissance data encoded as JSON payloads approximately once per second.
Each beacon includes critical device information: local IP addresses, MD5-hashed user identifiers, hostnames, usernames, operating system details, and available port forwarding capabilities.
The malware spoofs legitimate Safari user-agent strings to obscure its communications within standard web traffic patterns.
The RAT functionality provides operators comprehensive system control through a documented command set including shell execution, interactive terminal access, directory enumeration, file operations, and SOCKS5 proxy instantiation.
File timestamp manipulation enables operators to modify forensic indicators, while port forwarding capabilities facilitate lateral movement through compromised networks.
Evasion and Detection Avoidance
ZnDoor employs multiple sophisticated evasion techniques to prevent detection and removal. Process name spoofing masks the malware’s presence within process listings, while automatic timestamp modification sets file metadata to January 15, 2016 a technique designed to evade temporal-based security controls and forensic analysis.
The convergence of a publicly exploitable React2Shell vulnerability and ZnDoor’s sophisticated capabilities creates substantial risk for affected enterprises.
The malware implements self-restart mechanisms through child process execution, complicating PID-based termination efforts and hindering sandbox-based dynamic analysis.
These layered evasion capabilities substantially impede traditional security response procedures and complicate incident investigation timelines.
Organizations cannot easily identify compromised processes through conventional monitoring, and the antivirus evasion techniques reduce detection effectiveness.
Continued vigilance monitoring for suspicious React/Next.js application behavior remains essential for organizations operating affected frameworks.
Immediate patching of React2Shell vulnerabilities and comprehensive endpoint monitoring for indicators of ZnDoor activity are recommended protective measures.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.