KP Cyber Operators Actively Leveraging React2Shell for EtherRAT Deployment in Live Environments

North Korea-linked threat actors are now exploiting the recently disclosed React2Shell vulnerability (CVE-2025-55182) to deploy a sophisticated remote access tool, EtherRAT, in live Next.js environments.

Discovered on December 5, 2025, by the Sysdig Threat Research Team (TRT), EtherRAT represents a significant escalation in post-exploitation activity associated with React Server Components (RSCs).

Unlike earlier React2Shell payloads focused on cryptocurrency mining or credential theft, this implant demonstrates a high level of operational maturity, persistence, and evasion strategies consistent with nation-state campaigns.

CVE-2025-55182 is an unsafe deserialization flaw in React 19.x and frameworks built upon it, including Next.js versions 15.x and 16.x.

The vulnerability allows unauthenticated remote code execution through a single HTTP request to RSC endpoints and was publicly disclosed on December 3, 2025.

Within hours, the exploit began spreading across hosting providers and cloud-based web services, triggering widespread attacks from various threat groups.

Among them, North Korean cyber operators appear to have weaponized this exploit path to deploy EtherRAT, moving beyond the short-term monetization goals observed in earlier attacks to establish long-term persistence within targets.

EtherRAT executes in four distinct stages, beginning with a base64-encoded shell command that continuously attempts to download a malicious script from 193.24.123.68:3001.

Once downloaded, the script retrieves a legitimate Node.js runtime from nodejs.org, extracts and decrypts an embedded payload using AES-256-CBC, and launches the final JavaScript-based implant.

This approach not only ensures compatibility across Linux systems but also avoids suspicion, as Node.js is fetched directly from a trusted source rather than bundled with malicious binaries.

The implant installs itself in hidden directories under the user’s home folder and establishes multiple persistence mechanisms, including systemd services, XDG autostart entries, cron tasks, and additions to .bashrc and .profile.

These redundant mechanisms guarantee survival across system reboots and manual cleanup attempts.

Blockchain-based Command and Control and Evolving Tradecraft

EtherRAT’s most remarkable feature, however, lies in its use of the Ethereum blockchain for command‑and‑control (C2) operations.

Instead of relying on hardcoded IP addresses or domain names, the malware retrieves the active C2 URL from an on-chain smart contract at 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4.

It queries this contract every five minutes through nine public Ethereum RPC endpoints, uses a majority-voting consensus model to select the correct URL, and then securely contacts the C2 server.

This decentralized architecture ensures the implant remains resilient even if some RPC endpoints are blocked or sinkholed.

Because all communications occur over standard HTTPS requests that mimic ordinary content delivery network (CDN) traffic with randomized paths and file extensions, it is difficult for defenders to distinguish malicious C2 beacons from legitimate web traffic.

Once the C2 connection is active, EtherRAT polls for JavaScript commands every half-second and executes them in memory via an asynchronous function wrapper.

This design gives operators complete control over the infected system, including file access, environment inspection, and command execution within the Node.js runtime.

On first contact with its C2 infrastructure, EtherRAT transmits its source code to the endpoint/api/reobf/ and replaces itself with the response.

This self-modifying process likely serves as an anti-analysis feature or enables dynamic upgrades, making each deployment unique and thwarting static signature detection.

Sysdig’s analysis also identified significant technical overlap between EtherRAT and the Lazarus Group’s “Contagious Interview” campaign tools, particularly in the use of AES-encrypted loaders and Node—JS-based implants.

However, EtherRAT introduces multiple evolutions: it replaces hardcoded infrastructure with blockchain C2, downloads dependencies from trusted domains to evade network filtering, and deploys a much more aggressive persistence framework.

These attributes suggest either direct involvement by DPRK threat groups or a shared toolkit used by advanced nation-state actors.

CISA has already added CVE‑2025‑55182 to its Known Exploited Vulnerabilities catalog, urging organizations that rely on React Server Components or the Next.js framework to patch immediately to version 19.2.1 or newer.

Sysdig recommends hunting for unauthorized persistence indicators, monitoring outbound Ethereum RPC traffic, and deploying runtime behavioral detection rather than static signatures.

The emergence of EtherRAT underscores a critical security trend: state-backed actors are increasingly blending web framework exploits with decentralized infrastructure and runtime adaptability, signaling the next generation of resilient, persistent network intrusions.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post KP Cyber Operators Actively Leveraging React2Shell for EtherRAT Deployment in Live Environments appeared first on Cyber Security News.