Key Findings

• North Korea-linked threat actors are exploiting the critical React2Shell vulnerability (CVE-2025-55182) to deploy a previously unknown remote access trojan (RAT) dubbed EtherRAT

• EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org

• The activity exhibits significant overlap with a long-running campaign codenamed "Contagious Interview", which has been observed leveraging the EtherHiding technique to distribute malware since February 2025

• Contagious Interview targets software developers, particularly those working in crypto and Web3, through social engineering tactics like fake job interviews and trojanized demo projects

Background

The Contagious Interview campaign, active since November 2023 and linked to North Korea, has been targeting software developers on Windows, Linux, and macOS. The attackers focus on developers working in crypto and Web3, posing as recruiters on platforms like LinkedIn to deliver malware via social engineering tactics.

The group's previous payloads have commonly included the BeaverTail and OtterCookie infostealers, as well as the InvisibleFerret remote access trojan (RAT).

React2Shell Exploitation and EtherRAT Deployment

• Threat actors exploited CVE-2025-55182, a critical remote code execution vulnerability in React Server Components, just two days after its public disclosure

• Sysdig discovered a new implant, dubbed EtherRAT, on a compromised Next.js application

• EtherRAT operates in four stages, starting with a base64 command that abuses React2Shell to download and run a shell script

• The script fetches a legitimate Node.js build, drops an encrypted payload and obfuscated dropper, and launches them in the background

• The dropper decrypts the payload, generates a bot ID, and starts the main EtherRAT implant

Sophisticated C2 Infrastructure

• EtherRAT uses Ethereum smart contracts to locate its real C2 server, querying nine public Ethereum RPC endpoints in parallel and selecting the majority response

• This consensus mechanism protects against single points of failure, as a compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node

• EtherRAT queries the blockchain every five minutes, allowing operators to update the C2 infrastructure by modifying the smart contract

Persistent and Stealthy Access

• EtherRAT establishes persistence through five different methods, including Systemd user service, XDG autostart entry, Cron jobs, .bashrc injection, and profile injection

• Every 500 milliseconds, the malware sends requests disguised as web asset fetches, interpreting any JavaScript code received as commands to execute on the infected machine

• The implant's self-update capability allows it to receive a new, differently obfuscated version from the C2, potentially bypassing static signature-based detection

Conclusion

The discovery of EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft towards persistent, stealthy access designed for long-term operations. Whether this activity is the result of North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another group, the new implant poses a challenging threat for defenders to detect and mitigate.

Sources

• https://thehackernews.com/2025/12/north-korea-linked-actors-exploit.html

• https://securityaffairs.com/185538/apt/new-etherrat-backdoor-surfaces-in-react2shell-attacks-tied-to-north-korea.html

• https://securityonline.info/etherrat-malware-hijacks-ethereum-blockchain-for-covert-c2-after-react2shell-exploit/

• https://x.com/shah_sheikh/status/1998470266117357775

• https://www.infosecurity-magazine.com/news/react2shell-exploit-campaigns/

• https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/