Cybersecurity researchers have discovered a new wave of attacks exploiting the recently disclosed React2Shell vulnerability (CVE-2025-55182), this time deploying a sophisticated backdoor called EtherRAT. The malware was found in a compromised Next.js application on December 5, just two days after the public release of the critical flaw.
What makes EtherRAT especially dangerous: rather than being a simple cryptominer or credential-stealer, it’s a full-fledged remote access trojan (RAT) built for stealth and persistence. Once deployed, EtherRAT downloads its own Node.js runtime, drops encrypted payloads, and sets up up to five different Linux-based persistence mechanisms, ensuring it survives reboots, credential changes, or basic cleanup attempts.
Perhaps the most novel trick: EtherRAT uses blockchain, specifically public Ethereum smart contracts, to handle command-and-control (C2) instructions. Instead of connecting to a fixed command server (which can be blocked or seized), the malware retrieves C2 directives dynamically from a smart contract. This “on-chain control” makes detection and takedown far harder.
Security firm Sysdig links this attack campaign to an ongoing effort known as Contagious Interview, a DPRK-associated operation that targets Web3 and blockchain developers using fake job interviews and coding assignments. The similarities in tradecraft suggest the same group (or collaborators) may now be using the React2Shell vulnerability to widen their reach.
The underlying flaw React2Shell affects versions of React Server Components (not standard React) and related frameworks such as Next.js, when run with certain configurations. The vulnerability allows unauthenticated remote code execution (RCE) with just a crafted HTTP request.
Given the speed and stealth of the attack, security experts warn organizations must act immediately: audit your stack, update to patched versions, and monitor for unusual outbound traffic, especially to blockchain endpoints or unexpected Node.js downloads.
This incident shows how state-linked hackers are adapting quickly, combining older espionage methods with modern frameworks and blockchain-based tools. EtherRAT isn’t just a malware update. It’s a signal: attackers are innovating, and defenders must evolve faster.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
