Date: 01/05/2026
Severity: Medium
Summary
Since December 2025, multiple incidents in Japan have been linked to the exploitation of React2Shell (CVE-2025-55182), a remote code execution flaw affecting React and Next.js applications. While most attacks deployed coin miners, investigators identified a previously undocumented malware named ZnDoor. Analysis suggests ZnDoor has been active since at least December 2023 and may be tied to broader exploitation of network device vulnerabilities, highlighting that React2Shell is being abused not only for cryptomining but also for stealthier malware deployment.
Indicators of Compromise (IOC) List
Urls/Domains | api.qtss.cc |
IP Address | 45.76.155.14 104.168.9.49 149.28.25.254 45.32.126.137 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "api.qtss.cc" or siteurl like "api.qtss.cc" or url like "api.qtss.cc" |
Detection Query 2 : | dstipaddress IN ("149.28.25.254","45.76.155.14","104.168.9.49") or srcipaddress IN ("149.28.25.254","45.76.155.14","104.168.9.49") |
Reference:
https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/