“`html
Beginning December 2025, an alarming pattern has surfaced among Japanese entities as aggressors leverage a serious weakness in React/Next.js applications.
This vulnerability, identified as CVE-2025-55182 and referred to as React2Shell, signifies a remote code execution issue that is facing extensive exploitation.
Initially, attackers mainly leveraged cryptocurrency miners, but cybersecurity experts have uncovered more intricate threats aimed at network infrastructure through a new malware identified as ZnDoor.
The rise of ZnDoor indicates a notable intensification in these intrusions. This remote access Trojan showcases advanced functionalities that surpass mere mining activities.
Indicators imply that ZnDoor has been operational since a minimum of December 2023, discreetly establishing its foothold in compromised systems.
The malware’s intricate architecture signifies meticulous creation and tactical deployment against network devices, posing a significant threat to corporate security teams.
NTT Security analysts detected ZnDoor via thorough forensic examination of infiltrated systems.
.webp)
Their inquiry disclosed a coordinated assault chain commencing with the exploitation of React2Shell and concluding with sustained backdoor access through ZnDoor implementation.
Infection Mechanism and Command and Control Operations
The infection strategy adheres to a clear yet efficient pathway. Attackers exploit React2Shell to execute a shell command which retrieves and launches ZnDoor from external servers at 45.76.155.14.
The command operates via /bin/sh and swiftly initiates communication with the command and control server at api.qtss.cc:443.
Configuration elements, encompassing the C2 address and port, are safeguarded using AES-CBC encryption subsequent to Base64 decoding, shielding the malware’s communication framework from superficial scrutiny.
ZnDoor functions as a fully-capable remote access Trojan with extensive system oversight features. The malware persistently communicates with its C2 server every second, relaying system details such as network addresses, hostname, username, and process identifiers through HTTP POST requests.
This continuous connection allows attackers to issue commands for file manipulations, shell executions, system enumerations, and SOCKS5 proxy activations.
The command framework utilizes double-hash delimiters for instruction parsing, accommodating tasks like interactive shell spawning, directory listing, file alterations, and network tunneling.
Detection evasion is a pivotal element of ZnDoor’s architecture. The malware employs process name spoofing to disguise itself as legitimate system processes, complicating identification through standard monitoring approaches.
Moreover, it alters file timestamps to January 15, 2016, in an effort to escape forensic scrutiny.
The malware initiates self-restart protocols through child processes, obfuscating analysis attempts. These sophisticated evasion strategies highlight the advanced characteristics of this threat and underscore the significance of behavioral surveillance.
“`