Ethical Hacking News
North Korea-linked actors have successfully exploited a recently disclosed critical security vulnerability in React Server Components (RSC) known as React2Shell, to deploy a new remote access trojan dubbed EtherRAT. The attackers are believed to be using the newly discovered flaw to gain unauthorized access to systems and maintain persistent access for long-term operations.
North Korea-linked actors successfully exploited a critical security vulnerability in React Server Components (RSC) to deploy a remote access trojan dubbed EtherRAT. The attackers had prior knowledge of the flaw and waited for its public disclosure before launching their attack. EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations. The attackers used consensus voting across nine public Ethereum RPC endpoints to update the C2 server URL every five minutes. The malware demonstrated self-update ability that overwrote itself with new code received from the C2 server after sending its own source code to an API endpoint. The attack chain started with the exploitation of CVE-2025-55182, a maximum-severity security vulnerability in RSC.
North Korea-linked actors have successfully exploited a recently disclosed critical security vulnerability in React Server Components (RSC) known as React2Shell, to deploy a new remote access trojan dubbed EtherRAT. The attackers are believed to be using the newly discovered flaw to gain unauthorized access to systems and maintain persistent access for long-term operations.
The vulnerabilities, which have been assigned a maximum CVSS score of 10.0, were recently disclosed by React2Shell's developers. However, North Korea-linked actors appeared to be aware of this vulnerability well in advance of its public disclosure, having exploited it as early as October of last year. This suggests that the attackers had prior knowledge of the flaw and was waiting for the official release of information before they launched their attack.
Sysdig, a cloud security firm, observed that North Korea-linked actors leveraged React2Shell to deliver a remote access trojan dubbed EtherRAT. According to Sysdig, "EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations."
The attackers used the React2Shell vulnerability to execute a Base64-encoded shell command that downloaded and ran a shell script responsible for deploying the main JavaScript implant. This script was retrieved using a curl command, with wget and python3 used as fallbacks. It also prepared the environment by downloading Node.js v20.10.0 from nodejs.org.
Once all these steps were complete, it proceeded to delete the shell script to minimize forensic trail and ran the dropper. The threat actors then launched a new process with the updated payload, using EtherHiding for command-and-control (C2) resolution. This allowed them to easily update their malware even if the C2 server was taken down.
Sysdig noted that "What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints." The attackers used this mechanism to fetch the C2 server URL every five minutes, allowing them to update the URL easily. This protected against attack scenarios where a single compromised RPC endpoint or researchers couldn't poison C2 resolution by operating a rogue RPC node.
The malware also demonstrated self-update ability that overwrote itself with new code received from the C2 server after sending its own source code to an API endpoint. It launched a new process with the updated payload, using EtherHiding to fetch the C2 server URL even if it was taken down. This allowed them to continuously access infected systems.
In addition to EtherHiding, the malware used several persistence mechanisms, including systemd user service, XDG autostart entry, cron jobs, bashrc injection, and profile injection. These mechanisms ensured that the malware ran even after a system reboot, granting continued access to the infected systems.
Researchers from OpenSourceMalware observed 13 different versions of this campaign spread across 27 different GitHub users and 11 different versions of BeaverTail, an unknown malware. This is just one example among many in which North Korea-linked actors have employed the use of fake job interviews, coding assignments, and video assessments to distribute malware.
One key point is that Contagious Interview has stopped using Fly.io, Platform.sh, Render, and other hosting providers exclusively. The North Korean threat actors have flocked to Vercel and are now using it almost exclusively.
The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant. The attackers also use Node.js v20.10.0 from nodejs.org.
In conclusion, North Korea-linked actors have successfully exploited React2Shell to deploy new EtherRAT malware. This sophisticated campaign leverages multiple persistence mechanisms, including consensus voting on Ethereum RPC endpoints and self-update capability. The attackers seem to be using fake job interviews, coding assignments, and video assessments to distribute the malware among blockchain and Web3 developers.
The attack demonstrates how threat actors can adapt their techniques based on the latest security vulnerabilities available in open-source frameworks such as React. It also highlights the need for continuous monitoring of newly disclosed software vulnerabilities by organizations and individuals around the world.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korea-linked-Actors-Exploit-React2Shell-to-Deploy-Sophisticated-New-Malware-A-Threat-Assessment-ehn.shtml
https://thehackernews.com/2025/12/north-korea-linked-actors-exploit.html
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/
Published: Tue Dec 9 13:18:11 2025 by llama3.2 3B Q4_K_M
