Recent cybersecurity reports indicate that actors likely connected to North Korea have exploited the critical React2Shell vulnerability in React Server Components to distribute a previously undocumented remote access trojan called EtherRAT. According to cloud security firm Sysdig, EtherRAT leverages Ethereum smart contracts for command-and-control resolution, employs five independent Linux persistence mechanisms, and downloads its own Node.js runtime to execute payloads. The malware exhibits strong similarities with the ongoing Contagious Interview campaign, which has been targeting blockchain and Web3 developers through fraudulent coding interviews and assignments since early 2025.
The campaign typically begins by luring victims via professional platforms such as LinkedIn, Upwork, and Fiverr, where threat actors pose as recruiters offering programming opportunities. Once a system is targeted, the attack chain exploits CVE-2025-55182, a maximum-severity vulnerability in React Server Components, to run a Base64-encoded shell command that downloads and executes a shell script. This script prepares the environment by downloading Node.js version 20.10.0, writing encrypted payloads to disk, and deploying an obfuscated JavaScript dropper. After execution, the shell script is removed to minimize forensic traces. The dropper then decrypts the EtherRAT payload and launches it using the Node.js runtime, establishing persistent access to the compromised system.
EtherRAT employs a unique EtherHiding technique to fetch its command-and-control server URL from an Ethereum smart contract every five minutes. The malware uses consensus voting across nine public Ethereum RPC endpoints to select the URL returned by the majority, making it resistant to single-point takedowns and preventing researchers from poisoning the C2 resolution. Persistence is achieved through five separate mechanisms, including systemd user services, XDG autostart entries, cron jobs, and modifications to both .bashrc and profile files, ensuring that the malware survives system reboots. The implant also has a self-update capability, downloading new obfuscated versions from the C2 server while overwriting its previous code, allowing it to bypass traditional static detection methods.
Further analysis from OpenSourceMalware reveals that the Contagious Interview campaign has shifted its tactics from npm packages to Microsoft Visual Studio Code. Victims are instructed to clone malicious repositories from GitHub, GitLab, or Bitbucket and open them in VS Code, where a tasks.json file configured to run automatically executes a loader script. On Linux systems, this leads to the deployment of additional scripts, including vscode-bootstrap.sh, package.json, and env-setup.js, which serve as launchpads for malware such as BeaverTail and InvisibleFerret. Researchers have identified multiple versions of the campaign, spread across numerous GitHub users and repository variants, indicating a highly organized and evolving threat landscape.
Sysdig highlighted that EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic attacks toward stealthy, long-term access operations. The sophisticated use of blockchain for C2 resolution, multiple persistence mechanisms, and self-updating capabilities make this malware a challenging target for defenders. Analysts note that whether this represents a new North Korean operation or technique adoption by another actor, the result is a persistent, difficult-to-detect implant that demonstrates the increasing sophistication of cyber threats targeting developers in the blockchain and Web3 ecosystem.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
