EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2

A Sysdig Threat Research Team blog post from December 2025 details how an Ethereum-based malware implant, EtherRAT, is utilized in React2Shell attacks by a suspected North Korean-linked group. The malware disguises its command and control (C2) operations within blockchain activity, aggressively harvests credentials, and operates as fileless malware through Node.js execution. The post uncovers the malware's five payload modules: system reconnaissance, credential harvesting, a self-propagating worm, web server hijacking, and SSH backdoor installation. Each C2 infrastructure update is permanently recorded on Ethereum, offering a forensic advantage by preserving historical changes. The blog further complicates attribution by highlighting a CIS country exclusion in the system reconnaissance payload, typically used by Russian-speaking actors, conflicting with the initial suspicion of North Korean involvement. The post emphasizes the threat posed by React2Shell exploitation, especially to organizations using vulnerable Next.js deployments, and notes the significance of the immutable blockchain audit trail despite the attack's sophistication.