React2Shell Exploitation Delivers EtherRAT via Blockchain C2
Threat actors have begun exploiting the recently disclosed React2Shell vulnerability in React Server Components (RSC), tracked as CVE-2025-55182, to deploy a novel remote access trojan named EtherRAT. The Sysdig Threat Research Team first documented EtherRAT in active attacks against Next.js applications, noting its use of Ethereum blockchain-based command and control (C2) infrastructure. EtherRAT operates as a fileless malware, running payloads via Node.js without writing to disk, and features modules for system reconnaissance, credential harvesting, worm-like propagation, web server hijacking, and SSH backdoor installation. The malware’s blockchain C2 mechanism provides both operational stealth and a forensic trail, as all infrastructure changes are permanently recorded on Ethereum. Attribution remains uncertain, but North Korean-linked actors are suspected, with the campaign excluding targets in Commonwealth of Independent States (CIS) countries.
Security briefings confirm that EtherRAT leverages five independent Linux persistence mechanisms and downloads its own Node.js runtime from nodejs.org, further complicating detection and remediation. The campaign marks the first public documentation of React2Shell being used for more than cryptomining, representing a significant escalation in post-exploitation capabilities. Defenders are advised to monitor for React2Shell exploitation, review blockchain activity for C2 indicators, and implement robust credential and endpoint protections to mitigate the risk posed by EtherRAT and similar fileless threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Sysdig analyzes EtherRAT payloads and questions DPRK attribution
Sysdig published a detailed analysis of EtherRAT after recovering live payloads, documenting five modules for reconnaissance, credential and crypto theft, worming, web server hijacking, and SSH persistence. The company said attribution remains uncertain because some indicators suggested a DPRK nexus while CIS-exclusion behavior and other artifacts aligned more with Russian or Eastern European cybercrime patterns.
React2Shell exploit campaign deploys EtherRAT via blockchain C2
Threat actors exploited React2Shell (CVE-2025-55182) to deliver EtherRAT, a fileless Node.js implant that uses an Ethereum smart contract to resolve command-and-control infrastructure. Reporting described the campaign as active and rapidly weaponized after the vulnerability's disclosure and KEV listing.
Kroll reports Storm-0249 shift to EDR evasion and ClickFix lures
Kroll's December 15 briefing said Storm-0249 had changed tactics to target EDR solutions through DLL sideloading and social engineering. The actor was also observed using the ClickFix technique to trick users into executing malicious commands.
Palo Alto Unit 42 identifies new 01FLIP ransomware family
Palo Alto Networks' Unit 42 discovered a new ransomware family named 01FLIP that targets Windows systems. Encrypted files are renamed with a .01flip extension.
CISA publishes details on BRICKSTORM malware
CISA released technical details on BRICKSTORM, malware described as enabling full system control and data exfiltration. The disclosure added public technical information about the threat's capabilities.
Fortinet patches 18 vulnerabilities including two critical flaws
Fortinet released fixes for 18 vulnerabilities, including critical flaws CVE-2025-59718 and CVE-2025-59719 with CVSS scores of 9.1 and 9.8. The update was highlighted in Kroll's December 15 threat briefing.
Microsoft releases December Patch Tuesday fixes
Microsoft addressed 70 vulnerabilities in its December 2025 Patch Tuesday release, including one zero-day. The broader set of Microsoft and Edge updates covered 154 issues in total.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Threat Actors Exploit React2Shell Vulnerability with EtherRAT Malware
North Korean-linked threat actors have exploited the critical React2Shell vulnerability (CVE-2025-55182) in React Server Components to deploy a new malware implant known as EtherRAT. EtherRAT features advanced capabilities, including five independent Linux persistence mechanisms, blockchain-based command-and-control using Ethereum smart contracts, and the ability to download its own Node.js runtime. The attack chain begins with remote code execution via a crafted HTTP request, followed by the download and execution of a malicious shell script that prepares the environment and deploys the main JavaScript implant. Researchers note significant overlap with the "Contagious Interview" campaign, which targets blockchain and Web3 developers through fake job offers and coding assignments, but EtherRAT introduces new technical distinctions. The exploitation of React2Shell began within hours of the vulnerability's public disclosure, with both North Korean and China-linked groups observed leveraging the flaw. Automated attacks have compromised at least 30 organizations across multiple sectors, resulting in credential theft, cryptomining, and the deployment of commodity backdoors. The EtherRAT campaign demonstrates the rapid weaponization of newly disclosed vulnerabilities and the increasing sophistication of North Korean cyber operations, particularly in targeting cloud environments and the JavaScript ecosystem.
Mar 21, 2026
React2Shell RCE in React Server Components Drives Mass Server Compromise
Threat actors are actively exploiting **React2Shell**, a critical remote code execution flaw in React Server Components tracked as `CVE-2025-55182`, with related exposure also noted in Next.js as `CVE-2025-66478`. The bug stems from insecure deserialization in the React Server Components Flight protocol and allows unauthenticated attackers to upload malicious payloads and execute arbitrary code on vulnerable internet-facing servers. Public disclosure was quickly followed by advisories, proof-of-concept code, and reports of broad exploitation, while Microsoft and other researchers said hundreds of machines had already been hacked. Follow-on campaigns have been widespread and largely opportunistic, ranging from credential-harvesting operations to malware deployment against organizations in multiple sectors and regions. Cisco Talos-linked reporting said at least **766 servers** were compromised by an automated campaign that stole SSH keys, cloud tokens, API keys, Kubernetes and GitHub credentials, Docker metadata, and other environment secrets, including keys tied to AI platforms and payment services. Other investigations tied exploitation to **XMRig**, **RustoBot**, **Kaiji**, **Sliver**, **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**, along with persistence, reconnaissance, DNS-based exfiltration, and SSH key installation, underscoring how rapidly the vulnerability was weaponized after disclosure.
May 25, 2026
Exploitation of React2Shell Vulnerability (CVE-2025-55182) in IoT and Web Applications
A critical security vulnerability, React2Shell (CVE-2025-55182), affecting React Server Components and Next.js, has been widely exploited by both state-sponsored and criminal threat actors. The flaw enables unauthenticated remote code execution, making it a prime target for ransomware groups, botnet operators, and espionage campaigns throughout 2025. Notably, the RondoDox botnet leveraged this vulnerability in a persistent nine-month campaign to compromise IoT devices and web applications, enrolling tens of thousands of systems into its network. According to Shadowserver Foundation data, over 84,000 instances remained vulnerable as of early January 2026, with the majority located in the United States. PolySwarm's annual review highlights React2Shell as the year's most significant exploit, noting its rapid weaponization by both nation-state actors and cybercriminals. Ransomware groups such as Cl0p and Qilin used zero-day exploits, including React2Shell, to target enterprises, government, and healthcare sectors. The widespread abuse of this vulnerability underscores the urgent need for organizations to patch affected systems and monitor for signs of compromise, as attackers continue to exploit trusted software components for initial access and lateral movement.
Mar 21, 2026