North Korean Hackers Deploy EtherRAT Malware in React2Shell Exploits

Sysdig discovered North Korea-linked EtherRAT, a stealthy new backdoor using Ethereum smart contracts for C2 after exploiting the critical React2Shell vulnerability (CVE-2025-55182).

A team of cybersecurity researchers at Sysdig, a firm specialising in protecting cloud and container-based apps, has found a new malware called EtherRAT being deployed to exploit the severe CVE-2025-55182 React2Shell vulnerability.

The discovery was made on December 5, 2025, just two days after the vulnerability was publicly revealed.

A Maximum Severity Vulnerability

This flaw was first disclosed on December 3, 2025, by researcher Lachlan Davidson and affects React Server Components (RSCs), including frameworks like Next.js. It is a maximum-severity issue that allows an unauthenticated attacker to perform Remote Code Execution (RCE) on a server via an unsafe deserialization flaw. CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalogue on December 5, 2025, confirming it was actively being used in attacks.

From Basic Theft to ...