Ddos 
A new, sophisticated malware campaign is sweeping across the internet, leveraging a recently disclosed vulnerability to install cryptocurrency-stealing software on unsuspecting servers. The AhnLab Security Intelligence Center (ASEC) has released a report detailing an automated attack wave that exploits the “React2Shell” vulnerability to deploy EtherRAT, a multi-stage threat designed to drain digital wallets.
The campaign is notable for its use of legitimate runtime environments—specifically Node.js—to mask its malicious activity, turning compromised servers into zombies that query the Ethereum blockchain.
According to ASEC researchers, the attackers are not focusing on high-value targets in specific nations. Instead, they are casting a wide, indiscriminate net.
“They are using an automated script to launch their attacks, and the attacks do not target specific countries but instead attack randomly generated IP addresses,” the report states .
The attack begins with a probe on port 80. Once a server is reached, the attackers immediately transmit a malicious packet designed to trigger the React2Shell vulnerability . If successful, this initial breach serves as a beachhead for the installation of EtherRAT.
“This attack installs EtherRAT through multiple stages, with the ultimate goal of gaining a foothold, stealing information, and stealing cryptocurrency,” ASEC explained.
One of the campaign’s stealthiest features is how it executes its payload. Rather than relying on a standalone binary that might be flagged by antivirus software, the malware downloads and installs a legitimate version of Node.js (v20.10.0) to execute its malicious scripts.
The malware attempts to blend in, but researchers identified a “smoking gun” in the file system. “If a suspicious NodeJS process is running in a path that was not installed separately, malware infection should be suspected,” the report warns .
Administrators are advised to check for hidden directories in the home path, specifically: $HOME/.local/share/.05bf0e9b.
Once established, EtherRAT begins its primary mission: interacting with the Ethereum blockchain to facilitate theft. The malware communicates with various public Remote Procedure Call (RPC) endpoints, including Flashbots, LlamaRPC, and Ankr.
“Check the access history of Ethereum contract queries,” advises the report.
The malware sends JSON-RPC requests to these services, specifically targeting a hardcoded contract address (0x22f96d61cf118efabc7c5bf3384734fad2f6ead4) to execute token transactions.
ASEC urges network administrators to monitor for unauthorized Node.js processes and unusual HTTPS traffic to known Ethereum RPC URLs.
Related Posts:
- “React2Shell” Crisis: Critical Vulnerability Triggers Global Cyberattacks by State-Sponsored Groups
- “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
- React2Shell: Max-Score RCE (CVSS 10.0) Triggers Widespread Exploitation by Espionage Groups & Miners
- Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
Donate