When a single domain shows up repeatedly in security telemetry, it is rarely random. One of the clearest examples we have right now is api[.]qtss[.]cc, a domain tied to active exploitation of the critical React Server Components remote code execution vulnerability known as React2Shell (CVE 2025-55182). Multiple threat research teams have documented api[.]qtss[.]cc as command and control infrastructure for a Go based implant used after successful exploitation. 

At ThreatSTOP, we treat domains like this as an early warning signal and an opportunity to stop the threat where it is easiest to stop: before connections are established. Our Protective DNS solutions and IP Defense are built to disconnect systems from hostile infrastructure - preventing command execution, follow on payload delivery, and data theft paths that depend on outbound connectivity.

Why api[.]qtss[.]cc matters right now

React2Shell is not a theoretical issue. It is a critical, unauthenticated remote code execution vulnerability in React Server Components, rated CVSS 10.0, and it has been widely targeted since public disclosure. 

Trend Micro reported a surge in exploitation attempts during December 5 through December 8, 2025, with multiple distinct campaigns emerging quickly after disclosure, including botnet activity and post exploitation tool deployment. 

Within that broader exploitation wave, api[.]qtss[.]cc stands out because it has been associated with post exploitation control. Trend Micro observed a suspicious Go based backdoor that provides reverse shell capability, SOCKS5 proxying, and system reconnaissance, and they explicitly noted that it used api[.]qtss[.]cc as a command and control server. 

Huntress independently reported a Go based implant they named ZinFoq, describing api[.]qtss[.]cc as the command and control host used over HTTPS, along with distinct beacon, response, and file exfiltration endpoints.  

React2Shell in plain language

React2Shell (CVE 2025-55182) impacts React Server Components and related frameworks that rely on the affected React Server Components packages. The React team described it as an unauthenticated remote code execution vulnerability stemming from a flaw in how React decodes payloads sent to React Server Function endpoints, and noted that some applications may still be impacted if they support React Server Components even if they do not explicitly implement server function endpoints. 

Microsoft’s analysis explains the practical exploitation flow: an attacker sends a crafted POST request to a vulnerable web application, the payload is processed as a serialized object, and the server side deserialization results in attacker controlled code execution under NodeJS.

The takeaway is simple: if you run vulnerable React Server Components functionality on an internet facing service, you should assume it will be probed and potentially exploited unless patched.

Where api[.]qtss[.]cc fits in the attack chain

Exploitation is only the beginning. Once a threat actor gains code execution, they typically move quickly to establish repeatable access and expand their reach.

Post exploitation tooling and control

Trend Micro observed multiple types of follow on activity during the React2Shell exploitation wave, including deployment of common offensive tooling and malware families. 

One of the most relevant observations for api[.]qtss[.]cc is the Go based backdoor Trend Micro described. Its capabilities included:

  • Reverse shell functionality

  • SOCKS5 proxying for pivoting

  • System reconnaissance

  • HTTP POST based command and control communications

  • Attempts to clear shell history to reduce visibility

Trend Micro also stated the backdoor was hosted at 45.76.155[.]14 (which has changed) and used api[.]qtss[.]cc for command and control. 

From our telemetry the amount of traffic we're blocking is only increasing.  Our data for the past 7 days looks like this (forgive the data issue between 12-17 and 12-19).

Past 7 days

Huntress’s ZinFoq analysis adds more context: the implant communicates over HTTPS to api[.]qtss[.]cc using HTTP POST, disguises itself with a Safari like User Agent, and includes dedicated mechanisms for check in, command output, and file exfiltration. 

What this means for defenders and risk owners

Domains like api[.]qtss[.]cc are not just indicators. They are operational dependencies. If a compromised host cannot reach its command and control destination, the threat actor loses interactive control, loses reliable tasking, and often loses the ability to exfiltrate data through their preferred channel.

That is why we block domains like this aggressively, and why protective controls at the DNS and IP layers provide immediate value even while patching and incident response are in progress.

Immediate actions to reduce exposure

You do not need perfect certainty to act. The combination of active exploitation and documented command and control infrastructure means action should be swift and layered.

1. Patch React and related frameworks immediately

The React team recommends upgrading to fixed versions and provides patch guidance for affected releases. 

For organizations using Next.js, the Vercel security advisory lists patched stable versions and advises upgrading immediately. 

2. Monitor for exploitation and suspicious outbound traffic

Look for signs of command execution spawned from Node processes and anomalous downloads following suspicious web requests. Microsoft observed attackers running arbitrary commands and delivering follow on payloads after exploitation. 

Also monitor for outbound connections to suspicious destinations such as api[.]qtss[.]cc, along with unusual HTTPS POST patterns from servers that should not initiate that kind of traffic. Huntress describes this exact communication style for ZinFoq. 

3. Treat outbound DNS and IP connectivity as an enforcement point

Most post exploitation tooling requires outbound reachability. This is where Protective DNS and IP block lists deliver fast containment value:

  • Stop domain resolution so the connection never begins

  • Stop traffic to known hostile IPs even if an implant uses hard coded values or cached resolution

How ThreatSTOP protections disrupt this threat

ThreatSTOP protections are written and maintained by the ThreatSTOP Security, Intelligence, and Research team. The team creates protection for command and control, invalid traffic, peer to peer communication, data exfiltration, phishing, SPAM, Distributed Denial of Service activity, and more.

Here is how our products apply directly to threats connected to api[.]qtss[.]cc and React2Shell exploitation.

Using the "Active Malware - Domains" and "TS Originated - Core Threats - IPs" Targets, both in the Command and Control Bundle.  

Protective DNS with DNS Defense Cloud and DNS Defense

Protective DNS blocks resolution of known malicious domains such as api[.]qtss[.]cc before a client can establish a session. This helps in multiple phases:

  • Preventing command and control check ins

  • Preventing payload retrieval from hostile infrastructure

  • Reducing opportunities for data exfiltration over web protocols

With DNS Defense Cloud, you get cloud delivered DNS protection using our DNS servers, ideal for distributed workforces and roaming endpoints. With DNS Defense, you keep DNS protection on your network using your own DNS servers while applying ThreatSTOP intelligence locally.

IP protection with IP Defense

Many modern implants are resilient. They may retry, rotate infrastructure, or fall back to direct IP connections. IP Defense extends proactive protection to routers, firewalls, IPS devices, cloud controls, and more by managing block lists where IP based enforcement matters most.

This is especially valuable for:

  • Catching hard coded infrastructure such as known hosting IPs tied to malicious campaigns

  • Applying consistent policy across mixed environments such as on prem networks and cloud workloads (Using our AWS WAF and AWS NFW solutions!)

Call to action

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a Demo today.

MITRE ATT&CK mapping matrix

 

Tactic

Technique

How it applies to this threat

Initial Access

T1190 Exploit Public Facing Application

React2Shell enables unauthenticated remote code execution via crafted web requests to vulnerable React Server Components deployments.

Execution

T1059.004 Command and Scripting Interpreter Unix Shell

Threat actors execute shell commands on compromised Linux systems after successful exploitation.

Execution

T1059.001 Command and Scripting Interpreter PowerShell

Observed exploitation attempts include PowerShell based execution to deliver follow on payloads.

Command and Control

T1071.001 Application Layer Protocol Web Protocols

ZinFoq and related tooling communicate to api[.]qtss[.]cc over HTTPS using HTTP POST requests.

Command and Control

T1090 Proxy

The Go based implant includes SOCKS5 proxy capability to support network pivoting.

Command and Control

T1105 Ingress Tool Transfer

Post exploitation activity commonly includes downloading scripts and binaries from attacker controlled infrastructure.

Persistence

T1543.002 Create or Modify System Process Systemd Service

Observed campaigns include persistence via systemd services on Linux.

Defense Evasion

T1070.003 Indicator Removal Clear Command History

Multiple analyses report attempts to clear shell history to reduce forensic visibility.

Credential Access

T1552.005 Unsecured Credentials Cloud Instance Metadata API

Threat activity associated with this exploitation wave includes querying cloud metadata endpoints to obtain temporary credentials.

Exfiltration

T1041 Exfiltration Over C2 Channel

Huntress documented dedicated exfiltration endpoints tied to the same command and control host api[.]qtss[.]cc.

 
 

Connect with Customers, Disconnect from Risks