North Korea-linked ‘EtherRAT’ backdoor used in React2Shell attacks

North Korea-linked threat actors are exploiting the React2Shell vulnerability to deploy a novel backdoor dubbed “EtherRAT,” Sysdig’s Threat Research Team reported Monday.

React2Shell, tracked as CVE-2025-555182, is a maximum severity deserialization flaw in React Server Components (RSC) that allows unauthenticated remote execution via a crafted HTTP request.

The flaw quickly came under active exploitation following its disclosure on Dec. 3, both by financially motivated actors deploying cryptocurrency miners and China nation-state actors, including Earth Lamia and Jackpot Panda, as reported by AWS researchers.

Sysdig recovered EtherRAT from a Next.js application affected by React2Shell exploitation, noting that this novel JavaScript implant and its attack chain differs from patterns seen in other React2Shell attacks.

The attack is suspected to be linked to the North Korean threat actor Lazarus Group due to its similarities to BeaverTail malware used by Lazarus Group in its “Contagious Interview” npm campaigns.

EtherRAT establishes persistent backdoor access using sophisticated techniques to evade detection and prevent removal, including the use of the Ethereum blockchain for command-and-control (C2) resolution.

“EtherRAT looks like a clear escalation of the React2Shell wave, turning what started as smash-and-grab cryptomining and credential theft into a long lived access platform that fits neatly with the adversary’s history of patient, monetization focused operations,” Jason Soroko, senior fellow at Sectigo, told SC Media in an email.

Related reading:

How EtherRAT uses 'EtherHiding' technique

The attacks start with the execution of a shell script via React2Shell exploitation, which downloads Node.js v20.10.0 and writes the encrypted payload and an obfuscated dropper. The researchers note that Node.js is downloaded from the legitimate nodejs.org website, which is less likely to raise suspicion than bundling Node.js with malware payloads, as Lazarus Group has done in the past.

The dropper decrypts the EtherRAT payload using AES-256-CBC with hardcoded key material and runs it using the downloaded Node.js binary. EtherRAT then retrieves its C2 server address from an Ethereum smart contract address rather than relying on a hardcoded C2 address.

This “EtherHiding” technique, which has been used in recent North Korean state-sponsored campaigns according to Google researchers, involves planting malicious resources, including C2 addresses, in the details of smart contracts stored on the Ethereum blockchain. Due to the blockchain’s persistent and decentralized nature, this technique helps threat actors avoid infrastructure takedowns and evade IP blocks and allows them to change the C2 address when needed by modifying the smart contract.

“Traditional C2 communication protocols are resilient only until detected. Multiple botnet shutdowns and network seizures cement this fact. EtherRAT circumvents this entirely by embedding C2 instructions in Ethereum smart contracts,” noted Mayuresh Dani, security research manager at Qualys Threat Research Unit, in an email to SC Media.

EtherRAT’s EtherHiding technique is especially unique due to its use of a consensus-based system that polls nine different public Ethereum remote procedure call (RPC) endpoints and uses the URL retrieved by the majority of endpoints. This adds further protection for the attackers in case of any single RPC node being compromised.

Another unique aspect of EtherRAT is that it replaces its own source code upon first connection to the C2 server, overwriting its original code with a response received from the server’s /api/reobf/ endpoint. While the exact purpose of this procedure is unclear, it may be a way to reobfuscate the code, provide an upgraded version of the payload or complicate analysis, Sysdig researchers said.

EtherRAT uses five Linux persistence methods to survive reboots, including the creation of a systemd service file, an XDG autostart entry, a cron job that runs EtherRAT 30 seconds after a reboot, a .bashrc file injection that runs EtherRAT when a user logs in and a .profile injection.

The backdoor polls the C2 server every 500 milliseconds using randomized URLs that are designed to resemble content delivery network (CDN) requests and blend in with normal web traffic. Whenever the malware received a C2 response longer than 10 characters, it treats the response as JavaScript code and immediately executes it.

To mitigate EtherRAT attacks, Sysdig said organizations should update React immediately to version 19.2.1 or later, and update Next.js to one of the patched releases. Defenders should also check for signs of EtherRAT’s persistence methods such as unauthorized system user services, cron jobs etc. and monitor for unusual outbound connections to public Ethereum RPC endpoints.

Lastly, Sysdig emphasizes the importance of runtime threat detection, as EtherRAT’s code replacement strategy may defeat signature-based methods.