Ethical Hacking News
A new backdoor code-named EtherRAT has been linked to North Korea and is believed to have been deployed via a vulnerability in React2Shell. This sophisticated RAT combines techniques from multiple past campaigns and uses Ethereum smart contracts for command and control, making it a significant threat to global cybersecurity.
Researchers have identified a new backdoor code-named EtherRAT linked to North Korea. A vulnerability in React Server Components versions 19.0.0-19.2.0 has been exploited by attackers to deploy EtherRAT. EtherRAT is a persistent RAT that uses Ethereum smart contracts for command and control, installs five Linux persistence methods, and fetches its own Node.js runtime. Attackers are using social engineering tactics to deliver malware, including fake job interviews and trojanized demo projects. EtherRAT operates in four stages, including downloading a script, creating a hidden directory, and launching an encrypted payload. The dropper decrypts the payload with AES-256-CBC and uses consensus voting across nine public Ethereum RPC endpoints for C2 communication. Organizations and individuals must remain vigilant and take proactive steps to protect themselves against such sophisticated cyber threats.
In a recent development that has sent shockwaves through the cybersecurity community, researchers have identified a new backdoor code-named EtherRAT, which appears to be linked to North Korea. This discovery comes just days after the vulnerability CVE-2025-55182 was disclosed, a pre-authentication remote code execution issue in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
The vulnerability in question arises from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks. This flaw has been exploited by North Korea-linked threat actors to deploy a sophisticated remote access trojan (RAT) that combines techniques from multiple past campaigns. Unlike earlier React2Shell attacks, EtherRAT is a persistent RAT that uses Ethereum smart contracts for command and control, installs five Linux persistence methods, and fetches its own Node.js runtime.
The attackers have been utilizing social engineering tactics to deliver malware to their targets, posing as recruiters on platforms like LinkedIn and using fake job interviews and trojanized demo projects to infect unsuspecting developers. The payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.
Sysdig researchers warn that North Korea-linked threat actors are likely exploiting the React2Shell flaw to deploy EtherRAT, a previously unknown remote access trojan. The new critical React2Shell flaw (CVE-2025-55182) is a pre-authentication remote code execution issue in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability has been exploited by the attackers just two days after disclosure.
EtherRAT employed in the attacks spotted by Sysdig operates in four stages. It starts with a base64 command that abuses React2Shell and repeatedly tries to download a script using curl, wget, or python3. Once the download succeeds, it runs the script and moves to s.sh, which creates a hidden directory, fetches a legitimate Node.js build from nodejs.org, drops an encrypted payload and an obfuscated dropper, launches them in the background, and wipes itself to reduce evidence.
The dropper decrypts the payload with AES-256-CBC, generates a bot ID, stores it in a state file, and starts the main implant. The implant establishes persistence and uses Ethereum smart contracts to locate its real C2, querying nine RPC endpoints and choosing the majority response for resilience.
“What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints. EtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority,” continues the report. “This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node. EtherRAT queries the blockchain every five minutes, allowing operators to update C2 infrastructure by modifying the smart contract – an update that propagates to all deployed bots automatically.”
Every 500 ms, it sends requests disguised as web asset fetches. When it receives JavaScript, EtherRAT executes it with full Node.js capabilities, giving operators complete control of the compromised host.
The new discovery highlights the ongoing threat posed by North Korea-linked cyber actors and their sophisticated tool-sharing practices. The React2Shell vulnerability has been a target for attackers in recent months, and the inclusion of Ethereum smart contracts in the EtherRAT code suggests that these groups are becoming increasingly skilled at leveraging emerging technologies to evade detection.
As the threat landscape continues to evolve, it is essential for organizations and individuals to remain vigilant and take proactive steps to protect themselves against such sophisticated cyber threats. This includes ensuring that all software is up-to-date, implementing robust security measures, and staying informed about the latest vulnerabilities and threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-North-Korean-Linked-Backdoor-Sparks-Global-Concerns-Over-Cybersecurity-ehn.shtml
Published: Wed Dec 10 09:53:53 2025 by llama3.2 3B Q4_K_M
