EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks

2025-12-08 Sysdig

https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks

Thumbnail for EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks

Sysdig recovered EtherRAT from a compromised Next.js application two days after disclosure of CVE-2025-55182, showing exploitation of React Server Components beyond miners and credential theft. The implant uses a four-stage chain that starts with a base64 shell dropper, installs its own Node.js runtime, decrypts an AES-256-CBC JavaScript payload, and establishes multiple Linux persistence mechanisms. EtherRAT resolves command-and-control through an Ethereum smart contract, querying nine public RPC endpoints and using majority consensus to resist sinkholing or poisoned RPC responses. The activity overlaps with North Korea-linked Contagious Interview tooling, but the text frames the attribution as either a DPRK pivot to React2Shell exploitation or sophisticated tool-sharing between nation-state groups.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 193.24.123.68 2025-12-08 2025-12-16
URL https://eth.drpc.org 2025-12-08 2025-12-08
URL https://mainnet.gateway.tenderl… 2025-12-08 2025-12-08
URL https://ethereum-rpc.publicnode… 2025-12-08 2025-12-08
URL https://rpc.flashbots.net/fast 2025-12-08 2025-12-08
URL https://eth.merkle.io 2025-12-08 2025-12-08
URL https://rpc.mevblocker.io 2025-12-08 2025-12-08
URL https://eth.llamarpc.com 2025-12-08 2025-12-08
URL https://eth-mainnet.public.blas… 2025-12-08 2025-12-08
URL https://rpc.payload.de 2025-12-08 2025-12-08
DOMAIN rpc.payload.de 2025-12-08 2025-12-08
DOMAIN eth.merkle.io 2025-12-08 2025-12-08

Related Reports

« Back