EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks

On December 5, 2025, Sysdig Threat Research Team identified a sophisticated implant dubbed EtherRAT, which emerged shortly after the disclosure of a severe vulnerability, CVE-2025-55182, in React Server Components. Unlike previously documented React2Shell payloads focused on cryptomining and credential theft, EtherRAT is a persistent access tool leveraging Ethereum smart contracts for command-and-control (C2) resolution and deploying multiple Linux persistence mechanisms. This novel approach includes downloading Node.js from a trusted source to avoid detection, using a consensus-based mechanism across multiple Ethereum RPC endpoints to ensure resilient C2 infrastructure, and implementing a four-stage attack chain that reflects a significant evolution in operational security. With indications of tool-sharing between nation-state groups, EtherRAT raises concerns about the attribution and sophistication of DPRK-linked campaigns, highlighting the necessity for organizations to enhance runtime threat detection and monitoring strategies to defend against such advanced threats.