A novel, highly sophisticated malware strain targeting vulnerable React Server Components, signaling a significant evolution in how state-sponsored threat actors are exploiting the critical React2Shell vulnerability disclosed just days earlier.
On December 5, 2025, just two days after the disclosure of the maximum-severity vulnerability CVE-2025-55182 (dubbed “React2Shell”), the Sysdig Threat Research Team (TRT) discovered a sophisticated new implant called EtherRAT deploying into compromised Next.js applications.
Unlike earlier opportunistic attacks that installed simple cryptocurrency miners, EtherRAT is a persistent espionage tool linking back to North Korean (DPRK) state-sponsored actors, leveraging Ethereum smart contracts for resilient command-and-control (C2) infrastructure.
Exploitation of React2Shell (CVE-2025-55182)
The entry point for this campaign is CVE-2025-55182, an unsafe deserialization flaw in React Server Components (RSCs) that permits unauthenticated remote code execution via a single HTTP request.
The vulnerability affects React 19.x and Next.js versions 15.x/16.x using the App Router. Following its disclosure on December 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) quickly added it to the Known Exploited Vulnerabilities (KEV) catalog as active exploitation surged.
While China-nexus groups like “Earth Lamia” have been observed deploying Cobalt Strike beacons, the EtherRAT campaign marks a distinct shift in tradecraft. Instead of immediate destruction or noisy mining, these actors focus on long-term stealth and persistence.
| Vulnerability | CVE-2025-55182 (React2Shell) |
|---|---|
| Type | Unsafe Deserialization / Remote Code Execution |
| Severity | Critical (Maximum Severity) |
| Affected Software | React 19.x, Next.js 15.x/16.x (App Router) |
| Disclosure Date | December 3, 2025 |
| Active Exploits | Cobalt Strike (China-nexus), EtherRAT (DPRK-nexus), XMRig |
EtherRAT the Blockchain Stealth
EtherRAT distinguishes itself through a unique “consensus” C2 mechanism. Rather than connecting to a hardcoded server IP that can be blocked, the malware queries a specific Ethereum smart contract to retrieve its command server URL.
To prevent tampering or poisoning, EtherRAT queries nine distinct public Remote Procedure Call (RPC) endpoints, including Cloudflare, Flashbots, and PublicNode, and only accepts the C2 URL returned by the majority.
This “EtherHiding” technique renders traditional IP-based blocking ineffective. To defenders, the traffic appears as legitimate HTTPS requests to well-known blockchain gateways.
Furthermore, the malware disguises its C2 polling traffic as requests for static assets (like .png or .css files), blending seamlessly with normal web application traffic.
In a move designed to bypass supply chain scanners, EtherRAT does not bundle its own runtime. Instead, the dropper downloads a legitimate, signed copy of the Node.js runtime directly from the official nodejs.org distribution.
This ensures the malware has a stable execution environment without introducing suspicious binaries that might trigger antivirus alerts.
Analysis by Sysdig TRT reveals significant code overlaps between EtherRAT and the “Contagious Interview” campaign, a long-running operation attributed to DPRK-affiliated groups (Lazarus/UNC5342).
- Shared Encryption: Both campaigns use a nearly identical AES-256-CBC-encrypted loader to protect their payloads.
- Infrastructure: The use of blockchain-based C2 aligns with the recent DPRK adoption of “EtherHiding” techniques.
- Targeting: While “Contagious Interview” historically targeted developers via fake job offers, this shift to exploiting server-side vulnerabilities represents an aggressive expansion of their initial access vectors.
However, EtherRAT is more sophisticated than typical “Contagious Interview” payloads, featuring five redundant persistence mechanisms (Systemd, XDG, Cron, Bashrc, and Profile injection) compared to the usual one or two.
Mitigation and Indicators of Compromise
Organizations running Next.js or React Server Components must patch immediately to version 19.2.1 or later. Defenders should hunt for the following indicators, particularly outbound traffic to public Ethereum RPC nodes from web servers, which is highly anomalous in most environments.
| Indicator Type | Value / Pattern |
|---|---|
| Staging Server | 193.24.123[.]68:3001 (Malicious Shell Script Source) |
| Smart Contract | 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4 |
| Network Traffic | Rapid POST requests to multiple Ethereum RPCs (e.g., eth.llamarpc[.]com, rpc.flashbots[.]net) |
| File Artifacts | Hidden directories in $HOME/.local/share/ with random hex names (e.g., .05bf0e9b) |
| Process | Node.js processes spawning from hidden directories like .local/share/ rather than /usr/bin/ |
The combination of zero-day exploitation and immutable blockchain infrastructure makes EtherRAT a formidable threat. Security teams are advised to focus on runtime detection of the persistence mechanisms and unusual RPC traffic patterns rather than relying solely on static file signatures.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
