Since December 2025, a concerning trend has emerged across Japanese organizations as attackers exploit a critical vulnerability in React/Next.js applications.
The vulnerability, tracked as CVE-2025-55182 and known as React2Shell, represents a remote code execution flaw attracting widespread exploitation.
While initial attacks primarily deployed cryptocurrency miners, security researchers uncovered more sophisticated threats targeting network infrastructure through a previously unknown malware called ZnDoor.
The emergence of ZnDoor marked a significant escalation in these attacks. This remote access trojan demonstrates advanced capabilities far beyond simple mining operations.
Evidence suggests ZnDoor has been active since at least December 2023, quietly establishing its presence in targeted environments.
The malware’s sophisticated architecture indicates careful development and strategic deployment against network devices, making it a serious concern for enterprise security teams.
NTT Security analysts identified ZnDoor through detailed forensic analysis of compromised systems.
.webp "ZnDoor Malware Exploiting React2Shell Vulnerability to Compromise Network Devices 3")
Their investigation revealed a coordinated attack chain beginning with React2Shell exploitation and culminating in persistent backdoor access through ZnDoor deployment.
Infection Mechanism and Command and Control Operations
The infection mechanism follows a straightforward yet effective pathway. Attackers exploit React2Shell to execute a shell command that downloads and runs ZnDoor from external servers at 45.76.155.14.
The command executes via /bin/sh and immediately establishes communication with the command and control server at api.qtss.cc:443.
Configuration details, including the C2 address and port, are encrypted using AES-CBC encryption after Base64 decoding, protecting the malware’s communication infrastructure from casual inspection.
ZnDoor operates as a fully featured remote access trojan with comprehensive system control capabilities. The malware continuously beacons to its C2 server every second, transmitting system information including network addresses, hostname, username, and process identifiers through HTTP POST requests.
This persistent communication enables attackers to send commands for file operations, shell execution, system enumeration, and SOCKS5 proxy activation.
The command structure employs double-hash delimiters to parse instructions, supporting operations like interactive shell spawning, directory listing, file manipulation, and network tunneling.
Detection evasion represents a critical aspect of ZnDoor’s design. The malware implements process name spoofing to masquerade as legitimate system processes, making identification difficult through conventional monitoring.
Additionally, it modifies file timestamps to January 15, 2016, attempting to evade forensic investigations.
The malware executes self-restart mechanisms using child processes, complicating analysis efforts. These sophisticated evasion tactics underscore the advanced nature of this threat and highlight the importance of behavioral monitoring.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
