Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT.
“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” Sysdig said in a report published Monday.
The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview, which has been observed leveraging the EtherHiding technique to distribute malware since February 2025.
Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typically begin with a ruse that lures victims via platforms like LinkedIn, Upwork, or Fiverr, where the threat actors pose as recruiters offering lucrative job opportunities.
According to software supply chain security company Socket, it’s one of the most prolific campaigns exploiting the npm ecosystem, highlighting their ability to adapt to JavaScript and cryptocurrency-centric workflows.
The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant.
The shell script is retrieved using a curl command, with wget and python3 used as fallbacks. It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper. Once all these steps are complete, it proceeds to delete the shell script to minimize the forensic trail and runs the dropper.
The primary goal of the dropper is to decrypt the EtherRAT payload with a hard-coded key and spawn it using the downloaded Node.js binary. The malware is notable for using EtherHiding to fetch the C2 server URL from an Ethereum smart contract every five minutes, allowing the operators to update the URL easily, even if it’s taken down.
“What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints,” Sysdig said. “EtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority.”
“This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node.”
It’s worth noting that a similar implementation was previously observed in two npm packages named colortoolsv2 and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
