Ethical Hacking News
North Korean hackers have recently exploited a critical vulnerability in the React Server Components (RSC) "Flight" protocol, known as React2Shell, to launch a sophisticated campaign of malware attacks. The attackers used a new malware implant called EtherRAT, which leverages Ethereum smart contracts for communication with the attacker and has extremely aggressive persistence on Linux systems. At least 30 organizations across multiple sectors have been breached, including those in the US, China, and Europe. In light of this recent campaign, system administrators are advised to upgrade to a safe React/Next.js version as soon as possible to protect against potential attacks.
North Korean hackers have exploited a critical vulnerability in React Server Components (RSC) "Flight" protocol, CVE-2025-55182, for unauthenticated remote code execution. A new malware implant called EtherRAT has been deployed, which leverages Ethereum smart contracts for communication with attackers and runs five separate Linux persistence mechanisms. The use of a multi-stage attack chain is notable in EtherRAT, exploiting React2Shell vulnerability to execute a base64-encoded shell command on the target system. EtherRAT creates a hidden directory to download and extract a legitimate Node.js runtime, writes an encrypted payload blob, and deletes itself. The malware uses Ethereum smart contracts for C2 operations, providing operational versatility and resistance to takedowns. EtherRAT has extremely aggressive persistence on Linux systems, using multiple layers for redundancy. The malware can self-update by sending its source code to an API endpoint, evading static detection and potential analysis. A minimum of 30 organizations across multiple sectors have been breached using this attack vector.
North Korean hackers have recently been identified as exploiting a critical vulnerability in the React Server Components (RSC) "Flight" protocol, known as React2Shell. This flaw, tracked under the identifier CVE-2025-55182, allows for unauthenticated remote code execution via a crafted HTTP request. The exploitation of this flaw has resulted in a significant number of attacks, with numerous actors taking advantage of it to breach various organizations.
The most recent campaign involved the deployment of a new malware implant called EtherRAT, which was designed to run five separate Linux persistence mechanisms and leverage Ethereum smart contracts for communication with the attacker. Researchers at cloud security company Sysdig have been analyzing this campaign, and their findings suggest that it aligns with North Korea's tools used in Contagious Interview campaigns.
The use of a multi-stage attack chain is a notable feature of EtherRAT. This malware begins by exploiting the React2Shell vulnerability to execute a base64-encoded shell command on the target system. The command attempts to download a malicious shell script using various fallbacks, such as curl, wget, or python3, and loops every 300 seconds until successful. When the script is fetched, it is checked, turned into an executable, and launched.
Script logic
The malware creates a hidden directory in the user's $HOME/.local/share/ location where it downloads and extracts a legitimate Node.js v20.10.0 runtime directly from nodejs.org. It then writes an encrypted payload blob and an obfuscated JavaScript dropper that is executed using the downloaded Node binary, and then deletes itself.
The obfuscated JavaScript dropper (.kxnzl4mtez.js) reads the encrypted blob, decrypts it using a hardcoded AES-256-CBC key, and writes the result as another hidden JavaScript file. The decrypted payload is the EtherRAT implant, which is deployed using the Node.js binary that had been installed in the previous stage.
EtherRAT uses Ethereum smart contracts for C2 operations, which provide operational versatility and resistance to takedowns. It queries nine public Ethereum RPC providers in parallel and picks the majority-response result, which prevents single-node poisoning or sinkholing. The malware sends randomized CDN-like URLs to the C2 every 500 ms and executes JavaScript returned from the operators using an AsyncFunction constructor in a mechanism that works as a fully interactive Node.js shell.
This technique is called EtherHiding, and it has been described before in reports from Google and GuardioLabs. Additionally, Sysdig researchers note that "the encrypted loader pattern used in EtherRAT closely matches the DPRK-affiliated BeaverTail malware used in the Contagious Interview campaigns."
EtherRAT persistence on Linux
Sysdig comments that the EtherRAT malware has extremely aggressive persistence on Linux systems, as it installs five layers for redundancy: Cron jobs, bashrc injection, XDG autostart, Systemd user service, and Profile injection. By using multiple persistence methods, the operator of the malware makes sure that they continue to have access to the compromised hosts even after system reboots and maintenance.
Another unique feature in EtherRAT is its ability to self-update by sending its source code to an API endpoint. The malware receives replacement code that has the same capabilities but uses different obfuscation, overwrites itself with it, and then spawns a new process with the updated payload. Sysdig hypothesizes that this mechanism helps the malware evade static detection and may also help prevent analysis or introduce mission-specific functionality.
The exploitation of React2Shell has resulted in a significant number of attacks, with numerous actors taking advantage of it to breach various organizations. This includes at least 30 organizations across multiple sectors, which were breached to steal credentials, engage in cryptomining, and deploy commodity backdoors.
In light of this recent campaign, system administrators are recommended to upgrade to a safe React/Next.js version as soon as possible. Sysdig provides in its report a short list of indicators of compromise (IoCs) associated with EtherRAT's staging infrastructure and Ethereum contracts, which can be used by users to monitor for potential malicious activity.
Furthermore, the recent surge in attacks utilizing React2Shell highlights the importance of staying up-to-date with the latest security patches and taking proactive measures to protect against known vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Exploit-React2Shell-Flaw-in-Sophisticated-EtherRAT-Malware-Campaign-ehn.shtml
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/
https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/
Published: Tue Dec 9 10:03:36 2025 by llama3.2 3B Q4_K_M
