North Korean Threat Actors Exploit React2Shell Vulnerability with EtherRAT Malware
North Korean-linked threat actors have exploited the critical React2Shell vulnerability (CVE-2025-55182) in React Server Components to deploy a new malware implant known as EtherRAT. EtherRAT features advanced capabilities, including five independent Linux persistence mechanisms, blockchain-based command-and-control using Ethereum smart contracts, and the ability to download its own Node.js runtime. The attack chain begins with remote code execution via a crafted HTTP request, followed by the download and execution of a malicious shell script that prepares the environment and deploys the main JavaScript implant. Researchers note significant overlap with the "Contagious Interview" campaign, which targets blockchain and Web3 developers through fake job offers and coding assignments, but EtherRAT introduces new technical distinctions.
The exploitation of React2Shell began within hours of the vulnerability's public disclosure, with both North Korean and China-linked groups observed leveraging the flaw. Automated attacks have compromised at least 30 organizations across multiple sectors, resulting in credential theft, cryptomining, and the deployment of commodity backdoors. The EtherRAT campaign demonstrates the rapid weaponization of newly disclosed vulnerabilities and the increasing sophistication of North Korean cyber operations, particularly in targeting cloud environments and the JavaScript ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Researchers publish mitigation and hunting guidance
Security researchers recommended immediate upgrades to patched React and Next.js versions as the only definitive mitigation for CVE-2025-55182. They also published indicators of compromise and detection guidance, including monitoring for Ethereum RPC traffic and Linux persistence artifacts tied to EtherRAT.
Unit 42 identifies Auto-color and KSwapDoor in the ecosystem
Unit 42 disclosed additional Linux backdoors seen in the React2Shell exploitation ecosystem, including Auto-color masquerading as a PAM library and a newly characterized backdoor named KSwapDoor. KSwapDoor was described as a stealthy persistent Linux server backdoor using a peer-to-peer mesh C2 design and masquerading as a kernel swap daemon.
Unit 42 details China-nexus and DPRK-overlapping post-exploitation
Palo Alto Networks Unit 42 reported that post-exploitation activity included a China-nexus cluster, CL-STA-1015, associated in reporting with UNC5174, using fileless shell scripts to deploy SNOWLIGHT and VShell. It also noted separate activity overlapping DPRK Contagious Interview tooling involving EtherRAT and EtherHiding, without formal attribution.
Sysdig links EtherRAT activity to DPRK-aligned tooling
Sysdig publicly reported EtherRAT as a new malware family deployed through React2Shell and said its tradecraft overlapped with North Korean Contagious Interview and Lazarus-associated tooling. The reporting highlighted blockchain-based C2, self-updating payloads, and a shell-script-to-JavaScript attack chain.
Researchers report broad React2Shell breach activity
By early December, at least 30 organizations across multiple sectors had reportedly been breached through React2Shell exploitation. Observed attacker actions included credential theft, cloud configuration theft attempts, cryptominer deployment, and installation of backdoors.
Compromised Next.js app yields new EtherRAT malware sample
Shortly after disclosure, researchers recovered a new malware implant named EtherRAT from a compromised Next.js application exploited via React2Shell. The implant used Ethereum smart contracts for command-and-control and included multiple Linux persistence mechanisms.
CISA adds CVE-2025-55182 to the KEV catalog
Following evidence of active exploitation, CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities list. This reflected the rapid operationalization of the flaw by threat actors.
Attackers begin exploiting React2Shell within hours
Researchers observed exploitation activity within hours of the December 3 disclosure, including automated scanning and early post-compromise activity. China-linked groups such as Earth Lamia and Jackpot Panda were reported among the first observed actors.
React2Shell vulnerability publicly disclosed
The critical unauthenticated remote code execution flaw in React Server Components' Flight protocol, tracked as CVE-2025-55182 and dubbed React2Shell, was publicly disclosed. The issue affected React 19 and related frameworks including Next.js.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
unit42.paloaltonetworks.com
Open sourceBreach Roundup: DPRK-Linked EtherRAT Targets React2Shell
govinfosecurity.com
Open sourceBreach Roundup: DPRK-Linked EtherRAT Targets React2Shell
bankinfosecurity.com
Open sourceNorth Korean Hackers Deploy EtherRAT Malware in React2Shell Exploits
hackread.com
Open sourceEtherRAT Malware Hijacks Ethereum Blockchain for Covert C2 After React2Shell Exploit
securityonline.info
Open sourceNorth Korean hackers exploit React2Shell flaw in EtherRAT malware attacks
bleepingcomputer.com
Open sourceNorth Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
React2Shell Exploitation Delivers EtherRAT via Blockchain C2
Threat actors have begun exploiting the recently disclosed React2Shell vulnerability in React Server Components (RSC), tracked as CVE-2025-55182, to deploy a novel remote access trojan named EtherRAT. The Sysdig Threat Research Team first documented EtherRAT in active attacks against Next.js applications, noting its use of Ethereum blockchain-based command and control (C2) infrastructure. EtherRAT operates as a fileless malware, running payloads via Node.js without writing to disk, and features modules for system reconnaissance, credential harvesting, worm-like propagation, web server hijacking, and SSH backdoor installation. The malware’s blockchain C2 mechanism provides both operational stealth and a forensic trail, as all infrastructure changes are permanently recorded on Ethereum. Attribution remains uncertain, but North Korean-linked actors are suspected, with the campaign excluding targets in Commonwealth of Independent States (CIS) countries. Security briefings confirm that EtherRAT leverages five independent Linux persistence mechanisms and downloads its own Node.js runtime from nodejs.org, further complicating detection and remediation. The campaign marks the first public documentation of React2Shell being used for more than cryptomining, representing a significant escalation in post-exploitation capabilities. Defenders are advised to monitor for React2Shell exploitation, review blockchain activity for C2 indicators, and implement robust credential and endpoint protections to mitigate the risk posed by EtherRAT and similar fileless threats.
Mar 21, 2026
Exploitation of React2Shell Vulnerability (CVE-2025-55182) in IoT and Web Applications
A critical security vulnerability, React2Shell (CVE-2025-55182), affecting React Server Components and Next.js, has been widely exploited by both state-sponsored and criminal threat actors. The flaw enables unauthenticated remote code execution, making it a prime target for ransomware groups, botnet operators, and espionage campaigns throughout 2025. Notably, the RondoDox botnet leveraged this vulnerability in a persistent nine-month campaign to compromise IoT devices and web applications, enrolling tens of thousands of systems into its network. According to Shadowserver Foundation data, over 84,000 instances remained vulnerable as of early January 2026, with the majority located in the United States. PolySwarm's annual review highlights React2Shell as the year's most significant exploit, noting its rapid weaponization by both nation-state actors and cybercriminals. Ransomware groups such as Cl0p and Qilin used zero-day exploits, including React2Shell, to target enterprises, government, and healthcare sectors. The widespread abuse of this vulnerability underscores the urgent need for organizations to patch affected systems and monitor for signs of compromise, as attackers continue to exploit trusted software components for initial access and lateral movement.
Mar 21, 2026
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
Mar 21, 2026