Threat actors are taking advantage of a security flaw called React2Shell. The vulnerability is spreading malware families such as ZnDoor and KSwapDoor. According to NTT Security and Palo Alto Networks Unit 42, the backdoor has been found in two different industries and geographical areas.

Based on the malware's code structure and functional overlap with earlier Linux backdoors, as well as other tools used by adversaries from the region, it is most likely the work of Chinese nation-state actors.According to Palo Alto, "threat actors rarely risk exposing such carefully crafted and engineered tools in widespread campaigns but instead, they reserve them for precise, high-value targeting." Several threat actors have exploited the vulnerability, which is tracked as CVE-2025-55182 (CVSS score:

10.0).

According to Microsoft, threat actors have exploited the vulnerability to execute arbitrary post-exploitation commands, such as configuring reverse shells to known Cobalt Strike servers. The use of Cloudflare Tunnel endpoints ("*.trycloudflare.com") to get around security measures and reconnaissance of the compromised environments are other characteristics of the attacks. With an estimated 59,128 servers compromised, Operation PCPcat is currently monitoring over 111,000 IP addresses, of which over 77,800 are vulnerable.

According to data from GreyNoise, 547 malicious IP addresses from the United States, India, the United Kingdom, Singapore, and the Netherlands participated in the exploitation efforts during the previous 24 hours. One of the most well-known websites for distributing malicious software to individuals in the US and other nations is KSwapDoor. The business was founded in New York and has been in operation for more than more than ten years.

It's unclear if it has been removed or if people in other nations are still using it. Whether or not the company has been taken off the market is unknown.