Security Concerns Rise: North Korea-linked Malware Targets Ethereum

Threat actors with ties to North Korea have exploited a critical security flaw known as React2Shell to deploy a new remote access trojan named EtherRAT. Sysdig reported that EtherRAT leverages Ethereum smart contracts for command-and-control resolution and implements five independent Linux persistence mechanisms, downloading its own Node.js runtime from nodejs.org.

The malware operates through a sophisticated attack chain that begins with the exploitation of CVE-2025-55182, a maximum-severity vulnerability in React Server Components, allowing it to execute a shell command that retrieves and runs an installer script.

This script is designed to set up the environment by downloading Node.js v20.10.0, writing an encrypted blob and an obfuscated JavaScript dropper to disk, before deleting the installation script to cover its tracks.

The dropper then decrypts the EtherRAT payload and activates it using the Node.js binary. EtherRAT stands out for its use of EtherHiding, querying nine public Ethereum remote procedure call endpoints to resolve C2 server URLs through a consensus mechanism that enhances its resilience against detection.

Once activated, the malware enters a polling loop, running JavaScript code received from the C2 server. The attack demonstrates a significant evolution in exploiting React2Shell vulnerabilities, moving towards long-term stealthy access rather than short-lived cryptomining or credential theft.

Additionally, the Contagious Interview campaign has shifted tactics, now utilizing GitHub and Visual Studio Code to distribute malware, further complicating the security landscape for developers. This development highlights the ongoing risks associated with cryptocurrency, necessitating enhanced security measures across the digital currency ecosystem.