North Korean Hackers Target React2Shell Flaw in EtherRAT Malware
▼ Summary
– A new malware called EtherRAT exploits the critical React2Shell vulnerability (CVE-2025-55182) to compromise systems, using a multi-stage attack chain that downloads and executes malicious scripts.
– EtherRAT is a sophisticated implant that uses Ethereum smart contracts for resilient command-and-control communication and employs five separate Linux persistence mechanisms to maintain access.
– Researchers attribute the malware to North Korean actors, noting substantial overlaps with Lazarus Group’s “Contagious Interview” campaigns, particularly in its encrypted loader pattern.
– The malware features advanced capabilities like on-the-fly payload rewriting for self-updates to evade detection and an interactive Node.js shell for executing attacker commands.
– Following the public disclosure of React2Shell, numerous threat actors, including China-linked groups, began exploiting it, leading to breaches at over 30 organizations for credential theft and backdoor deployment.
A recently identified malware implant, known as EtherRAT, has been deployed by exploiting the critical React2Shell vulnerability. This sophisticated threat utilizes Ethereum smart contracts for command-and-control communication and establishes five distinct persistence mechanisms on compromised Linux systems. Security analysts at Sysdig have linked the tool to North Korean threat actors, noting significant overlaps with known Lazarus Group campaigns under the “Contagious Interview” banner. The malware was discovered on a breached Next.js application mere days after the public disclosure of the flaw, tracked as CVE-2025-55182.
The React2Shell vulnerability itself is a maximum-severity deserialization weakness within the React Server Components “Flight” protocol. It enables unauthenticated attackers to execute remote code through a specially crafted HTTP request. This flaw affects a vast number of cloud environments using React and Next.js frameworks. Exploitation began rapidly after disclosure, with initial attacks attributed to China-linked groups like Earth Lamia and Jackpot Panda. Following automated exploitation, breaches have been reported at over thirty organizations across various sectors, leading to credential theft, cryptomining operations, and the deployment of standard backdoors.
The attack chain for EtherRAT is multi-staged. It starts with exploiting React2Shell to run a base64-encoded command on the target. This command persistently attempts to download a malicious shell script, looping every five minutes until successful. Once fetched, the script is verified, made executable, and launched. Its primary function is to create a hidden directory and download a legitimate Node.js runtime directly from the official source. It then writes an encrypted payload and an obfuscated JavaScript dropper, which is executed using the newly installed Node binary before the script deletes itself.
This dropper reads the encrypted blob, decrypts it using a hardcoded AES-256-CBC key, and writes the result as another hidden JavaScript file. This final decrypted payload is the EtherRAT implant itself, executed via the previously installed Node.js environment. The malware’s use of blockchain-based C2 infrastructure is a hallmark of its advanced design. It queries nine public Ethereum RPC providers simultaneously and adopts the majority response, a tactic that prevents disruption from single-node poisoning or sinkholing.
Operational communication involves sending randomized, CDN-like URLs to the C2 every half-second. JavaScript instructions returned from the attackers are then executed using an AsyncFunction constructor, effectively providing a fully interactive Node.js shell. North Korean hackers have previously employed smart contracts for malware distribution in a technique dubbed EtherHiding. Furthermore, Sysdig researchers point out that the encrypted loader pattern in EtherRAT closely mirrors that used in the DPRK-linked BeaverTail malware from past Contagious Interview operations.
Persistence on Linux systems is exceptionally aggressive. EtherRAT deploys five redundant layers to maintain access: cron jobs, bashrc injection, XDG autostart entries, systemd user services, and profile injection. This multi-faceted approach ensures the malware survives system reboots and routine maintenance. Another distinctive feature is a self-update capability. EtherRAT can send its own source code to a controlled API endpoint, receive functionally identical but differently obfuscated replacement code, overwrite itself, and spawn a new process with the updated payload. This mechanism likely aids in evading static detection and may facilitate analysis evasion or the introduction of mission-specific features.
Given the active exploitation of React2Shell by multiple threat actors, system administrators are urged to promptly upgrade to a patched version of React or Next.js. Sysdig’s report includes a set of indicators of compromise related to EtherRAT’s staging infrastructure and Ethereum contracts. Recommended defensive actions include checking for the listed persistence methods, monitoring network traffic to Ethereum RPC providers, thoroughly reviewing application logs, and rotating all potentially exposed credentials.
(Source: Bleeping Computer)
