Headline
North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware
Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT. "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and
Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT.
“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” Sysdig said in a report published Monday.
The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview, which has been observed leveraging the EtherHiding technique to distribute malware since February 2025.
Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typically begin with a ruse that lures victims via platforms like LinkedIn, Upwork, or Fiverr, where the threat actors pose as recruiters offering lucrative job opportunities.
According to software supply chain security company Socket, it’s one of the most prolific campaigns exploiting the npm ecosystem, highlighting their ability to adapt to JavaScript and cryptocurrency-centric workflows.
The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant.
The shell script is retrieved using a curl command, with wget and python3 used as fallbacks. It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper. Once all these steps are complete, it proceeds to delete the shell script to minimize the forensic trail and runs the dropper.
The primary goal of the dropper is to decrypt the EtherRAT payload with a hard-coded key and spawn it using the downloaded Node.js binary. The malware is notable for using EtherHiding to fetch the C2 server URL from an Ethereum smart contract every five minutes, allowing the operators to update the URL easily, even if it’s taken down.
“What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints,” Sysdig said. “EtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority.”
“This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node.”
It’s worth noting that a similar implementation was previously observed in two npm packages named colortoolsv2 and mimelib2 that were found to deliver downloader malware on developer systems.
Once EtherRAT establishes contact with the C2 server, it enters a polling loop that executes every 500 milliseconds, interpreting any response that’s longer than 10 characters as JavaScript code to be run on the infected machine. Persistence is accomplished by using five different methods -
- Systemd user service
- XDG autostart entry
- Cron jobs
- .bashrc injection
- Profile injection
By using multiple mechanisms, the threat actors can ensure the malware runs even after a system reboot and grants them continued access to the infected systems. Another sign that points to the malware’s sophistication is the self-update ability that overwrites itself with the new code received from the C2 server after sending its own source code to an API endpoint.
It then launches a new process with the updated payload. What’s notable here is that the C2 returns a functionally identical but differently obfuscated version, thereby possibly allowing it to bypass static signature-based detection.
In addition to the use of EtherHiding, the links to Contagious Interview stem from overlaps between the encrypted loader pattern used in EtherRAT and a known JavaScript information stealer and downloader named BeaverTail.
“EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations,” Sysdig said.
“Whether this represents North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new implant that resists traditional detection and takedown methods.”
Contagious Interview Shifts from npm to VS Code
The disclosure comes as OpenSourceMalware revealed details of a new Contagious Interview variant that urges victims to clone a malicious repository on GitHub, GitLab, or Bitbucket as part of a programming assignment, and launch the project in Microsoft Visual Studio Code (VS Code).
This results in the execution of a VS Code tasks.json file due to it being configured with runOptions.runOn: ‘folderOpen,’ causing it to auto-run as soon as the project is opened. The file is engineered to download a loader script using curl or wget based on the operating system of the compromised host.
In the case of Linux, the next stage is a shell script that downloads and runs another shell script named “vscode-bootstrap.sh,” which then fetches two more files, “package.json” and “env-setup.js,” the latter of which serves as a launchpad for BeaverTail and InvisibleFerret.
OpenSourceMalware said it identified 13 different versions of this campaign spread across 27 different GitHub users and 11 different versions of BeaverTail. The earliest repository (“github[.]com/MentarisHub121/TokenPresaleApp”) dates back to April 22, 2025, and the most recent version (“github[.]com/eferos93/test4”) was created on December 1, 2025.
“DPRK threat actors have flocked to Vercel, and are now using it almost exclusively,” the OpenSourceMalware team said. “We don’t know why, but Contagious Interview has stopped using Fly.io, Platform.sh, Render and other hosting providers.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit. This week’s stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions,
RondoDox hackers exploit the React2Shell flaw in Next.js to target 90,000+ devices, including routers, smart cameras, and small business websites.
This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. "KSwapDoor is a professionally engineered remote access tool designed with stealth in mind," Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a
A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as…
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and
The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization
This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open. The new Threatsday Bulletin
React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based
Sysdig discovered North Korea-linked EtherRAT, a stealthy new backdoor using Ethereum smart contracts for C2 after exploiting the critical React2Shell vulnerability (CVE-2025-55182).
It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing. New flaws are being found, published, and exploited in hours instead of weeks. AI-powered tools meant to help developers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an
Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According
### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) ### Patches A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler pl...
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in