North Korean Hackers Deploy EtherRAT Malware in React2Shell Exploits

A team of cybersecurity researchers at Sysdig, a firm specialising in protecting cloud and container-based apps, has found a new malware called EtherRAT being deployed to exploit the severe CVE-2025-55182 React2Shell vulnerability.

The discovery was made on December 5, 2025, just two days after the vulnerability was publicly revealed.

****A Maximum Severity Vulnerability****

This flaw was first disclosed on December 3, 2025, by researcher Lachlan Davidson and affects React Server Components (RSCs), including frameworks like Next.js. It is a maximum-severity issue that allows an unauthenticated attacker to perform Remote Code Execution (RCE) on a server via an unsafe deserialization flaw. CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalogue on December 5, 2025, confirming it was actively being used in attacks.

****From Basic Theft to Advanced EtherRAT****

The latest research from Sysdig TRT reveals that the danger of the React2Shell vulnerability is rapidly expanding. While early exploitation was dominated by payloads from opportunistic cryptominers and sophisticated China-nexus groups deploying credential harvesters and backdoors, Sysdig’s investigation revealed that EtherRAT represents an escalation in this activity.

EtherRAT is a persistent access implant that combines methods from at least three known campaigns into a single, previously unreported attack chain. The malware itself is unique because it uses Ethereum smart contracts for command-and-control (C2) resolution, installs five separate Linux defences to ensure it remains active, and downloads its own Node.js software directly from nodejs.org. According to researchers, this specific blend of features has never been seen before in an exploit of the React2Shell vulnerability.

****EtherRAT’s Command Centre and Attribution****

The most prominent feature of EtherRAT is its Command-and-Control (C2) centre. Instead of relying on a standard website address that could be blocked, it uses Ethereum smart contracts (code stored on a decentralised ledger). This shows its extreme resilience because the program checks nine different public connection points for the Ethereum network, using the address that the majority of them agree on. This consensus mechanism is a way to protect against a single authority shutting it down.

To guarantee a permanent backdoor, the program is designed for long-term stealth, establishing five different ways to ensure it restarts on a system. TRT also believe that the software is linked to North Korean hacking groups because of a “significant overlap with North Korea-linked ‘Contagious Interview‘ (DPRK) tooling.”

Specifically, the way EtherRAT encrypts its files closely matches the BeaverTail malware, a known North Korean tool. The researchers provided a comparison image showing that the file encryption method closely matches the North Korean-linked campaign tooling.

Image credit: Sysdig

Sysdig TRT concluded in the blog post shared with Hackread.com that the advanced design of EtherRAT “represents a significant evolution in React2Shell exploitation.”

Casey Ellis, Founder at Bugcrowd, weighed in on the significance of the EtherRAT discovery, sharing their comments with Hackread.com, stating, “From an attacker’s perspective, react2shell is the kind of vulnerability that affords massive opportunity for crime, but that also has a relatively narrow window for exploitation… All of this rolls out to some very speedy and coordinated campaigns, just like the one being described here.“

Mike McGuire, Senior Security Solutions Manager at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, also commented on the issue, explaining, “The EtherRAT findings show once again that the gap between public disclosure and nation-state exploitation is basically zero. What stands out is the move away from quick hits like cryptomining toward persistent, stealthy access meant for long-term operations.”

“React2Shell is especially concerning because it hits the JavaScript ecosystem at the framework level, which gives attackers a broad reach. By combining a new RCE with things like blockchain-based command and control and a bundled Node.js runtime, the attackers make it much harder for defenders to spot or block them using traditional signals. In simple terms, it lets them blend in and stay hidden for longer,” McGuire added.

“The broader takeaway is that attackers will continue to pivot quickly to weaknesses deep in the web application stack. Organisations need to assume these vulnerabilities will be targeted immediately and make sure their patching processes, SBOM-driven visibility, and monitoring can keep up,” he advised.