A new malware implant dubbed EtherRAT has been observed in active attacks exploiting the recently disclosed React2Shell vulnerability (CVE-2025-55182), according to researchers at cloud security firm Sysdig.
The React2Shell flaw, a critical deserialization bug in the React Server Components Flight protocol, allows unauthenticated remote code execution via crafted HTTP requests.
The implant, recovered from a compromised Next.js application just two days after the flaw became public, comes with sophisticated mix of features, including blockchain-based command-and-control, multi-layered persistence, and a full Node.js runtime for evasion.
Sysdig believes EtherRAT shares close technical and operational similarities with tools used in North Korea’s Contagious Interview campaigns, though they note that several elements differ from previously known malware.
Exploitation began mere hours after disclosure, with early activity linked to China-based groups Earth Lamia and Jackpot Panda, followed by automated scanning and attacks. At least 30 organizations across multiple sectors have been compromised, with intrusions aimed at credential theft, cryptomining, and deployment of commodity backdoors.
EtherRAT id deployed via a multi-stage chain that begins with a base64-encoded shell command executed via React2Shell. The command repeatedly attempts to download a malicious shell script, which then installs a hidden Node.js v20.10.0 runtime, decrypts an embedded payload, and launches the final implant.
Once active, EtherRAT uses Ethereum smart contracts for communication with its operators. This technique, referred to as ‘EtherHiding,’ was previously observed in North Korean campaigns. The malware queries multiple public Ethereum RPC providers simultaneously to avoid takedown or node poisoning, then receives JavaScript instructions to execute in what functions as a fully interactive remote shell.
Sysdig notes that EtherRAT’s encrypted loader is similar to the BeaverTail malware attributed to DPRK-linked actors. The implant also includes a self-update feature that allows it to fetch newly obfuscated code from an API endpoint, overwrite itself, and relaunch.
Given that widespread exploitation already underway, administrators are urged to upgrade to patched React and Next.js versions as soon as possible to mitigate ongoing attacks.
