Pierluigi Paganini
December 10, 2025
North Korea–linked threat actors are likely exploiting the new critical React2Shell flaw (CVE-2025-55182) to deploy a previously unknown remote access trojan called EtherRAT, Sysdig researchers warn.
The vulnerability CVE-2025-55182, is a pre-authentication remote code execution issue in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw comes from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks.
The Contagious Interview campaign, active since November 2023 and linked to North Korea, targets software developers on Windows, Linux, and macOS. The attackers focus on developers working in crypto and Web3.
Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Their payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.
Threat actors exploited CVE-2025-55182 just two days after disclosure, with Sysdig discovering a new implant, dubbed EtherRAT, on a compromised Next.js app. Unlike earlier React2Shell attacks, EtherRAT is a persistent RAT that combines techniques from multiple past campaigns. It uses Ethereum smart contracts for command and control, installs five Linux persistence methods, and fetches its own Node.js runtime. The activity overlaps with North Korea-linked “Contagious Interview” campaign suggesting the involvement of the nation-state actor or tool-sharing among nation-state actors.
“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. This combination of capabilities has not been previously observed in React2Shell exploitation.” reads the report published by Sysdig. “The Sysdig TRT’s analysis reveals significant overlap with North Korea-linked “Contagious Interview” (DPRK) tooling, suggesting either Democratic People’s Republic of Korea (DPRK) actors have pivoted to exploiting React2Shell, or sophisticated tool-sharing is occurring between nation-state groups.”
The Contagious Interview campaign, active since November 2023 and linked to North Korea, targets software developers on Windows, Linux, and macOS. The attackers focus on developers working in crypto and Web3.
Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Their payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.
The payload EtherRAT employed in the attacks spotted by Sysdig operates in four stages. It starts with a base64 command that abuses React2Shell and repeatedly tries to download a script using curl, wget, or python3. Once the download succeeds, it runs the script and moves to s.sh, which creates a hidden directory, fetches a legitimate Node.js build from nodejs.org, drops an encrypted payload and an obfuscated dropper, launches them in the background, and wipes itself to reduce evidence. The dropper decrypts the payload with AES-256-CBC, generates a bot ID, stores it in a state file, and starts the main implant. The implant establishes persistence and uses Ethereum smart contracts to locate its real C2, querying nine RPC endpoints and choosing the majority response for resilience.
“What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints. EtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority” continues the report. “This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node. EtherRAT queries the blockchain every five minutes, allowing operators to update C2 infrastructure by modifying the smart contract – an update that propagates to all deployed bots automatically.”
Every 500 ms, it sends requests disguised as web asset fetches. When it receives JavaScript, EtherRAT executes it with full Node.js capabilities, giving operators complete control of the compromised host.
EtherRAT blends techniques seen across several DPRK campaigns, especially Contagious Interview, including AES-256-CBC encrypted loaders, Node.js-based implants, and WebSocket shells. Its encrypted loader resembles BeaverTail, though EtherRAT downloads Node.js from the official site, an evolution that reduces detection risk. Key differences include the React2Shell delivery vector, blockchain-based C2, far more aggressive persistence, and the absence of credential theft. Some overlaps point toward DPRK groups like UNC5342, but significant differences leave attribution uncertain; technique-sharing among DPRK units is plausible.
“EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations. The combination of blockchain-based C2, aggressive multi-vector persistence, and a payload update mechanism demonstrates a level of sophistication not previously observed in React2Shell payloads.” concludes the report tha also includes Indicators of Compromise (IoCs).
“The overlap with DPRK “Contagious Interview” tooling raises important questions about attribution and tool-sharing between threat actors. Whether this represents North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new implant that resists traditional detection and takedown methods.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
