A team of cybersecurity researchers at Sysdig, a firm specialising in protecting cloud and container-based apps, has found a new malware called EtherRAT being deployed to exploit the severe CVE-2025-55182 React2Shell vulnerability.
The discovery was made on December 5, 2025, just two days after the vulnerability was publicly revealed.
This flaw was first disclosed on December 3, 2025, by researcher Lachlan Davidson and affects React Server Components (RSCs), including frameworks like Next.js. It is a maximum-severity issue that allows an unauthenticated attacker to perform Remote Code Execution (RCE) on a server via an unsafe deserialization flaw. CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalogue on December 5, 2025, confirming it was actively being used in attacks.
The latest research from Sysdig TRT reveals that the danger of the React2Shell vulnerability is rapidly expanding. While early exploitation was dominated by payloads from opportunistic cryptominers and sophisticated China-nexus groups deploying credential harvesters and backdoors, Sysdig’s investigation revealed that EtherRAT represents an escalation in this activity.
EtherRAT is a persistent access implant that combines methods from at least three known campaigns into a single, previously unreported attack chain. The malware itself is unique because it uses Ethereum smart contracts for command-and-control (C2) resolution, installs five separate Linux defences to ensure it remains active, and downloads its own Node.js software directly from nodejs.org. According to researchers, this specific blend of features has never been seen before in an exploit of the React2Shell vulnerability.
The most prominent feature of EtherRAT is its Command-and-Control (C2) centre. Instead of relying on a standard website address that could be blocked, it uses Ethereum smart contracts (code stored on a decentralised ledger). This shows its extreme resilience because the program checks nine different public connection points for the Ethereum network, using the address that the majority of them agree on. This consensus mechanism is a way to protect against a single authority shutting it down.
To guarantee a permanent backdoor, the program is designed for long-term stealth, establishing five different ways to ensure it restarts on a system. TRT also believe that the software is linked to North Korean hacking groups because of a “significant overlap with North Korea-linked ‘Contagious Interview‘ (DPRK) tooling.”
Specifically, the way EtherRAT encrypts its files closely matches the BeaverTail malware, a known North Korean tool. The researchers provided a comparison image showing that the file encryption method closely matches the North Korean-linked campaign tooling.
Sysdig TRT concluded in the blog post shared with Hackread.com that the advanced design of EtherRAT “represents a significant evolution in React2Shell exploitation.”
Casey Ellis, Founder at Bugcrowd, weighed in on the significance of the EtherRAT discovery, sharing their comments with Hackread.com, stating, “From an attacker’s perspective, react2shell is the kind of vulnerability that affords massive opportunity for crime, but that also has a relatively narrow window for exploitation… All of this rolls out to some very speedy and coordinated campaigns, just like the one being described here.“
