A threat group linked to North Korea has begun exploiting the critical React2Shell security flaw in React Server Components to distribute a previously undocumented remote access trojan named EtherRAT. According to a new report from Sysdig, this malware uses Ethereum smart contracts for command and control resolution, deploys five separate persistence methods on Linux systems, and downloads its own Node.js runtime directly from nodejs.org.
Sysdig noted that this activity closely matches a long running operation known as Contagious Interview. This campaign has been targeting blockchain developers, Web3 engineers, and related professionals since early 2025 by posing as recruiters on LinkedIn, Upwork, and Fiverr. Victims are lured with fake job interviews and coding assignments that eventually deliver malware.
Software supply chain firm Socket has described this operation as one of the most active threats abusing the npm ecosystem, which shows how effectively the attackers have adapted to JavaScript and cryptocurrency oriented workflows.
Exploitation of CVE-2025-55182
The new activity begins with the exploitation of CVE-2025-55182, a critical vulnerability in React Server Components that allows the execution of a Base64 encoded shell command. This command downloads a shell script responsible for initiating the EtherRAT deployment.
The script attempts to retrieve the required components using curl, then falls back to wget or python3 if necessary. It prepares the environment by downloading Node.js version 20.10.0, writes an encrypted blob along with an obfuscated JavaScript dropper, deletes itself to reduce forensic traces, and executes the dropper.
The dropper decrypts the EtherRAT payload using a hard coded key and launches it through the downloaded Node.js binary. EtherRAT relies on a technique known as EtherHiding to obtain its command and control URL from an Ethereum smart contract every five minutes. This setup ensures that operators can easily update the URL even if it is taken down.
Sysdig highlighted that the malware uses a consensus mechanism involving nine Ethereum RPC endpoints. EtherRAT queries all nine in parallel, gathers their responses, and chooses the URL that appears most frequently. This prevents defenders or researchers from tampering with its command and control resolution.
Similar designs were previously seen in two npm packages named colortoolsv2 and mimelib2, which deployed downloader malware to developer systems.
Persistence and Self Updating Abilities
Once EtherRAT connects to its command and control server, it enters a continuous polling loop that runs every half second. Any response longer than ten characters is treated as JavaScript code and executed on the infected host.
To ensure persistence, the malware relies on five methods, which include a systemd user service, an XDG autostart entry, cron based scheduling, .bashrc modification, and profile file injection. Together, these methods guarantee that the implant continues running even after reboot.
A notable feature is its ability to update itself automatically. The malware transmits its code to an API endpoint, receives an updated but differently obfuscated version, overwrites its own files, and restarts in a new process. This makes static signature based detection significantly harder.
Researchers also noted overlaps between the encrypted loader of EtherRAT and components found in BeaverTail, a JavaScript based information stealer used in previous Contagious Interview attacks.
Sysdig stated that EtherRAT represents a major shift in React2Shell exploitation. The activity has moved away from opportunistic crypto mining and simple credential theft, toward maintaining persistent and covert access suited for long term operations.
Expansion of Contagious Interview Through VS Code
OpenSourceMalware uncovered a new variation of the Contagious Interview campaign. In this version, victims are encouraged to clone a malicious repository from GitHub, GitLab, or Bitbucket as part of a supposed coding assignment. When the victim opens the project in Visual Studio Code, a tasks.json file configured to run automatically triggers a loader script.
On Linux systems, this loader downloads a file named vscode bootstrap.sh, which then retrieves additional components such as package.json and env setup.js. The latter functions as an entry point for BeaverTail and another implant known as InvisibleFerret.
OpenSourceMalware identified 13 versions of this operation spread across 27 GitHub accounts, with the earliest dating to April 22, 2025 and the latest created on December 1, 2025.
The researchers observed that the threat actors have almost entirely shifted to deploying malicious content through Vercel hosting. Earlier platforms like Fly.io, Render, and Platform.sh appear to have been abandoned.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
