EtherRAT Malware Hijacks Ethereum Blockchain for Covert C2 After React2Shell Exploit

In a alarming escalation of the “React2Shell” crisis, security researchers have uncovered a sophisticated new malware strain that leverages the Ethereum blockchain to hide its tracks. Dubbed EtherRAT, this persistent implant was discovered by the Sysdig Threat Research Team (TRT) just 48 hours after the public disclosure of a catastrophic vulnerability in React Server Components.

On December 5, 2025, amidst a flurry of opportunistic attacks targeting CVE-2025-55182 (a critical remote code execution flaw), Sysdig researchers stumbled upon something far more dangerous than the usual cryptominers.

While most early attackers were smashing and grabbing, this new threat was digging in. “The Sysdig TRT recovered a novel implant from a compromised Next.js application… this payload, dubbed EtherRAT, represents something far more sophisticated,” the report states.

EtherRAT’s most striking feature is its command-and-control (C2) mechanism. Instead of connecting to a suspicious server that could be blocked by a firewall, it turns to the immutable ledger of the Ethereum blockchain.

Using a technique known as EtherHiding, the malware queries smart contracts to receive its orders. “EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution,” the report explains. By disguising its traffic as legitimate interactions with the blockchain, the malware becomes incredibly difficult to take down—you can’t simply unplug a decentralized network.

Perhaps most disturbing is the malware’s lineage. Sysdig’s analysis found striking similarities between EtherRAT and tools previously used by North Korean state-sponsored actors.

“The Sysdig TRT’s analysis reveals significant overlap with North Korea-linked ‘Contagious Interview’ (DPRK) tooling,” the researchers note. This suggests that the notorious Lazarus Group or its affiliates (tracked as UNC5342) have either rapidly pivoted to exploit the React vulnerability or are sharing their advanced arsenal with other nation-state groups.

EtherRAT is engineered for extreme persistence. It doesn’t just install itself; it entrenches itself. The malware “deploys five independent Linux persistence mechanisms,” ensuring that even if one foothold is discovered and removed, the others remain.

Additionally, in a move to evade detection signatures, it brings its own runtime environment. The malware “downloads its own Node.js runtime from nodejs.org,” blending its malicious execution with standard, trusted software processes.

The discovery marks a significant shift in the exploitation of the React2Shell vulnerability. What began as a free-for-all for low-level cybercriminals has rapidly evolved into a vector for advanced persistent threats (APTs).

As the report concludes, this development suggests that “Democratic People’s Republic of Korea (DPRK) actors have pivoted to exploiting React2Shell, or sophisticated tool-sharing is occurring between nation-state groups.”

Related Posts:

• “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
• North Korea’s UNC5342 APT Uses EtherHiding to Store Malware in Blockchain Smart Contracts for Stealthy C2
• ClearFake Malware Variant Exploits Web3 in New Attacks
• AI Interface Hijacked: Open WebUI Exploited for Cryptominers and Stealthy AI Malware