Sysdig analyzed EtherRAT, a Node.js implant recovered from a compromised Next.js application shortly after disclosure of CVE-2025-55182 in React Server Components. The malware uses an Ethereum smart contract to resolve command-and-control infrastructure, polls multiple public RPC endpoints for consensus, keeps payloads fileless through Node.js execution, and includes multiple persistence mechanisms. Blockchain history exposed operational details including wallet-linked C2 updates, two observed servers, and a short-lived Grabify URL apparently used to enumerate infected hosts. Retrieved payloads showed system reconnaissance, Active Directory and privilege checks, security-product discovery, GPU enumeration, aggressive exfiltration retries to 91.215.85[.]42:3000, and a credential/cryptocurrency harvester with BIP39 seed-phrase scanning. The report notes that many TTPs align with DPRK-linked activity while a CIS locale exclusion complicates attribution, so the defensive value is in tracking EtherRAT’s React2Shell exploitation and blockchain-C2 tradecraft.