Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

KSwapDoor

KSwapDoor is a previously unseen, professionally engineered Linux backdoor/remote access tool (RAT) designed for stealth. It was initially mistaken for BPFDoor due to shared raw-socket sniffing techniques, but differs in that its main engine functions as a peer-to-peer router enabling complex lateral movement and multi-hop routing. The malware impersonates a legitimate Linux kernel swap daemon to evade detection.

Capabilities described include: building an internal mesh network among compromised servers for resilient C2; encrypted communications using AES-256-CFB with Diffie-Hellman key exchange; an interactive shell with command execution; file operations; and lateral-movement scanning. It also includes a “sleeper” mode intended to bypass firewalls, where the implant can be “woken” via a secret/invisible signal.

KSwapDoor has been reported as a payload delivered via exploitation of the React2Shell vulnerability (CVE-2025-55182) in the campaign dubbed Operation PCPcat, which has been attributed in reporting to multiple threat actors including China-nexus groups. Based on code structure and tool overlap, KSwapDoor is assessed in the source content as likely the work of Chinese nation-state actors. No specific host/network IOCs unique to KSwapDoor are provided in the content beyond its masquerading behavior (swap daemon) and its use of encrypted, multi-hop/mesh C2.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-55182React2ShellExploited in the wild

...leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0)...

via cloudatg insightscloudatg.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence2

"The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests." / "Unit 42 has observed post-exploitation activity following the exploitation of CVE-2025-55182"

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

"The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests... This results in RCE" (CVE-2025-55182).

Persistence

1 technique
T1543Create or Modify System ProcessEvidence1

"It fully daemonizes by double-forking, creating a new session (setsid()), and redirecting all standard I/O to /dev/null."

Privilege Escalation

1 technique
T1543Create or Modify System ProcessEvidence1

"It fully daemonizes by double-forking, creating a new session (setsid()), and redirecting all standard I/O to /dev/null."

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1

"Almost all critical strings and configuration data are protected using RC4 encryption"

T1036MasqueradingEvidence1

"renames itself to [kswapd1], mimicking a legitimate Linux kernel swap daemon" and "Auto-color masquerades as a legitimate PAM library (pamssod)."

T1564Hide ArtifactsEvidence1

"It fully daemonizes by double-forking... and redirecting all standard I/O to /dev/null."

Credential Access

1 technique
T1552.001Credentials In FilesEvidence1

"It stores its configuration in an RC4-encrypted file within the user’s home directory."

Discovery

2 techniques
T1018Remote System DiscoveryEvidence1

"Full remote access... and lateral movement scanning" / "identify cloud environments or internal targets for lateral movement"

T1046Network Service DiscoveryEvidence1

"KSwapDoor... includes... lateral movement scanning" and earlier "identify cloud environments or internal targets for lateral movement"

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

"downloaders to retrieve payloads from attacker command and control (C2) infrastructure" and multiple C2 endpoints; KSwapDoor uses mesh routing and encryption

T1090.003Multi-hop ProxyEvidence1

"KSwapDoor implements a sophisticated P2P mesh network allowing multi-hop routing between infected nodes"

T1095Non-Application Layer ProtocolEvidence1

"KSwapDoor implements a sophisticated P2P mesh network allowing multi-hop routing... for C2 communications".

T1573Encrypted ChannelEvidence1

"Strong encryption: Uses AES-256-CFB with Diffie-Hellman key exchange" (KSwapDoor).

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Linux remote access tool/backdoor delivered via exploitation of React2Shell; described as professionally engineered with stealth in mind.

Read more
the hacker newsNews
Dec 16, 2025
React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

A sophisticated Linux backdoor and remote access tool that creates a mesh network among compromised servers, uses encrypted communications, and features stealth mechanisms such as sleeper mode and process impersonation. It supports interactive shell, command execution, file operations, and lateral movement scanning.

Read more
palo alto networks unit 42 blogNews
Dec 12, 2025
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

Linux server backdoor that masquerades as the kernel swap daemon (renames to [kswapd1]), uses a P2P mesh network for multi-hop C2, encrypts C2 with AES-256-CFB + Diffie-Hellman, RC4-protects strings/config, stores RC4-encrypted config in the user home directory, daemonizes and redirects I/O to /dev/null, maintains resilience via watchdog/restart logic, and provides full remote access (interactive shell, command execution, file operations, lateral movement scanning).

Read more
palo alto networks unit 42 blogNews
Dec 12, 2025
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

Previously unseen Linux server backdoor that masquerades as the kernel swap daemon (renames to kswapd1), uses a P2P mesh for resilient C2 with strong cryptography, stores RC4-encrypted configuration, includes watchdog-style resilience, and provides full remote access (interactive shell, command execution, file operations, and lateral movement scanning).

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.