EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks
Contents
Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
On December 5, 2025, just two days after the public disclosure of CVE-2025-55182 â a maximum-severity remote code execution vulnerability in React Server Components (RSCs) â the Sysdig Threat Research Team (TRT) recovered a novel implant from a compromised Next.js application. Unlike the cryptocurrency miners and credential stealers documented in early React2Shell exploitation, this payload, dubbed EtherRAT, represents something far more sophisticated. It is a persistent access implant that combines techniques from at least three documented campaigns into a single, previously unreported attack chain.
EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. This combination of capabilities has not been previously observed in React2Shell exploitation. The Sysdig TRTâs analysis reveals significant overlap with …
On December 5, 2025, just two days after the public disclosure of CVE-2025-55182 â a maximum-severity remote code execution vulnerability in React Server Components (RSCs) â the Sysdig Threat Research Team (TRT) recovered a novel implant from a compromised Next.js application. Unlike the cryptocurrency miners and credential stealers documented in early React2Shell exploitation, this payload, dubbed EtherRAT, represents something far more sophisticated. It is a persistent access implant that combines techniques from at least three documented campaigns into a single, previously unreported attack chain.
EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. This combination of capabilities has not been previously observed in React2Shell exploitation. The Sysdig TRTâs analysis reveals significant overlap with …
IoC
https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz
https://rpc.flashbots.net/fast
https://eth.merkle.io
http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh
https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.xz
https://rpc.payload.de
https://rpc.mevblocker.io
https://eth-mainnet.public.blastapi.io
https://ethereum-rpc.publicnode.com
https://eth.drpc.org
https://c2.example.com
https://eth.llamarpc.com
https://mainnet.gateway.tenderly.co
193.24.123.68
E941A9b283006F5163EE6B01c1f23AA5951c4C8D
22f96d61cf118efabc7c5bf3384734fad2f6ead4
https://rpc.flashbots.net/fast
https://eth.merkle.io
http://193.24.123.68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh
https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.xz
https://rpc.payload.de
https://rpc.mevblocker.io
https://eth-mainnet.public.blastapi.io
https://ethereum-rpc.publicnode.com
https://eth.drpc.org
https://c2.example.com
https://eth.llamarpc.com
https://mainnet.gateway.tenderly.co
193.24.123.68
E941A9b283006F5163EE6B01c1f23AA5951c4C8D
22f96d61cf118efabc7c5bf3384734fad2f6ead4