Threat classification

• Malware family: Remote Access Trojan (RAT)
• Primary target: Internet-exposed Linux web servers
• Initial access vector: React Server Components RCE (React2Shell / CVE-2025-55182)
• Suspected attribution: North Korea–aligned threat activity (based on infrastructure and tradecraft)
• Objective: Long-term persistent access, intelligence collection, lateral movement

---

Executive summary

Security researchers have confirmed that a North Korea–associated threat actor is actively exploiting a critical React Server Components vulnerability (CVE-2025-55182)—commonly referred to as React2Shell—to gain unauthenticated remote code execution on vulnerable web servers.

Following successful exploitation, attackers deploy EtherRAT, a stealth-focused Linux remote access trojan that uses blockchain-based command-and-control, legitimate software abuse, and multiple persistence layers to maintain long-term access.

This activity poses a high risk due to:

• Internet-exploitable initial access
• Silent post-exploitation behavior
• Difficulty in detecting and dismantling command-and-control
• Strong potential for data theft and lateral movement

---

1. Vulnerability overview: React2Shell (CVE-2025-55182)

Affected technology

• React Server Components (RSC)
• Commonly exposed via Next.js App Router
• Affected packages include:
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
• Impacted React versions observed in the wild include 19.0.0 through 19.2.0

Root cause

React Server Components rely on a structured protocol (“Flight”) that allows the browser to send serialized component data back to the server. In vulnerable versions:

• Input validation was insufficient
• Crafted object structures could manipulate internal logic
• This resulted in server-side code execution
• No authentication was required if the endpoint was exposed

Security impact

• Remote Code Execution (RCE)
• Full compromise of the web service context
• Access to environment variables, secrets, tokens, and internal networks

---

2. Initial exploitation flow

1. Attacker scans for exposed RSC endpoints
2. A specially crafted HTTP request is sent to the server
3. The React runtime processes malicious serialized input
4. Arbitrary commands are executed on the server
5. The attacker transitions immediately into post-exploitation

At this point, the system must be considered fully compromised, even if no visible changes are observed.

---

3. Post-exploitation: EtherRAT deployment

First-stage behavior

After gaining execution, attackers typically:

• Perform environment checks
• Download a secondary shell script or loader
• Execute it immediately
• Remove or overwrite traces of the initial dropper

Observed staging infrastructure:

• IP address: 193.24.123.68
• Port: 3001
• Example staging resource:
  /gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh

This infrastructure has been used to deliver the EtherRAT payload.

---

4. EtherRAT technical design

a. Language and execution model

EtherRAT is written in JavaScript and executed via Node.js.

Instead of relying on a preinstalled runtime, the malware:

• Downloads a legitimate Node.js binary directly from:
  • https://nodejs.org/dist/v20.10.0/
• Stores it in a hidden user directory
• Executes the RAT using that trusted binary

This approach:

• Evades signature-based detection
• Blends into normal development tooling
• Avoids suspicious binary drops

---

b. Command-and-control via Ethereum

EtherRAT does not rely on a traditional C2 domain.

Instead:

1. The malware connects to public Ethereum JSON-RPC endpoints
2. Uses the eth_call method
3. Queries a hardcoded smart contract
4. Parses encoded data from the response

Observed Ethereum smart contract address:

• 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4

This contract provides:

• C2 server locations
• Communication instructions
• Update mechanisms

Why this is effective

• No fixed C2 domain to block
• Blockchain infrastructure is resilient
• Contract data can be updated without redeploying malware
• Attribution and takedown are significantly harder

---

c. Network behavior indicators

Observed communication patterns include:

• HTTP requests with randomized paths ending in:
  • .png
  • .jpg
  • .gif
  • .css
  • .ico
  • .webp
• Custom HTTP header observed:
  • X-Bot-Server
• Periodic beaconing with timing jitter
• Ethereum JSON-RPC traffic originating from web servers that normally never interact with blockchain networks

---

5. Persistence mechanisms (multiple layers)

EtherRAT establishes redundant persistence, ensuring survival even if one method is removed.

Observed techniques include:

1. Cron jobs

• Malicious scheduled tasks added to user crontabs
• Often disguised with generic or random names

2. Systemd user services

• Files under:
  • ~/.config/systemd/user/
• Automatically launched at login or system start
• Less visible than system-wide services

3. XDG autostart entries

• Located in:
  • ~/.config/autostart/
• Marked with:
  • Hidden=true
  • NoDisplay=true
• Prevents visibility in desktop environments

4. Shell profile modification

• .bashrc
• .profile
• .bash_profile

These files are modified to relaunch the RAT whenever a shell session starts.

5. Hidden storage locations

• Example observed directory pattern:
  • ~/.local/share/.05bf0e9b/
• Randomized names per victim
• Contains:
  • Node.js binary
  • JavaScript RAT files
  • Configuration artifacts

---

6. Self-update and evasion

Once EtherRAT establishes C2:

• It uploads its own source code to the attacker
• Receives a modified version in response
• Overwrites itself on disk

This allows:

• Rapid re-obfuscation
• Signature evasion
• Functional updates without redeployment

---

7. Attacker capabilities and impact

With EtherRAT active, attackers can:

• Execute arbitrary commands
• Upload and exfiltrate files
• Harvest credentials and secrets
• Monitor activity
• Pivot into internal systems
• Maintain persistent access over long periods

Impact assessment:
Any affected server should be treated as fully compromised, with high risk of data exposure and further intrusion.

---

8. Detection and hunting guidance

Network IoCs

• 193.24.123[.]68[:]3001
• Outbound connections to Ethereum RPC endpoints
• Unexpected downloads from nodejs[.]org
• Static-file-mimicking HTTP traffic
• Presence of X-Bot-Server header

Host-based IoCs

• Hidden directories under:
  • ~/.local/share/
  • ~/.cache/
• Unexpected Node.js binaries
• New systemd user services
• Modified shell profiles
• Unauthorized cron jobs

Behavioral red flags (high confidence)

• Web server spawning:
  • bash
  • sh
  • curl
  • wget
  • python
• Node.js processes unrelated to the application
• Persistence reappearing after removal

---

9. Remediation and response

1. Patch immediately
   • Upgrade React to patched versions
   • Redeploy clean builds
2. Contain
   • Restrict outbound traffic from web servers
   • Monitor or block Ethereum RPC where feasible
3. Eradicate persistence
   • Audit cron, systemd user services, autostart, shell profiles
   • Remove all malicious artifacts in one coordinated action
4. Rotate credentials
   • API keys
   • Database credentials
   • Cloud tokens
   • SSH keys
5. Investigate lateral movement
   • Review logs from adjacent systems
   • Inspect CI/CD pipelines and secrets usage

---

Final Takeaway

This campaign demonstrates a modern, state-sponsored intrusion model:

• Exploit a popular framework
• Abuse trusted tooling
• Use decentralized infrastructure for resilience
• Prioritize stealth and persistence over speed

React2Shell is merely the entry point. EtherRAT is the real threat, and its presence indicates a highly capable, patient adversary with long-term objectives.