Among the assaults exploiting the just lately emerged React vulnerability dubbed React2Shell seem to have been performed by North Korean menace actors, in response to cybersecurity agency Sysdig.
The React2Shell vulnerability, formally tracked as CVE-2025-55182, will be exploited for unauthenticated distant code execution. The flaw impacts model 19 of the React open supply library for creating utility person interfaces.
Along with React, CVE-2025-55182 impacts different associated frameworks, together with Subsequent.js, Waku, React Router, and RedwoodSDK.
Whereas React powers tens of millions of purposes, the precise variety of susceptible cases seems to be comparatively small, with the Shadowserver Basis seeing roughly 70,000 affected techniques.
The existence of React2Shell got here to gentle on December 3 and in-the-wild exploitation commenced shortly after.
[ Read: Cloudflare Outage Caused by React2Shell Mitigations ]
Primarily based on the at the moment accessible data, China-linked menace teams have been the primary to take advantage of the vulnerability. Exploitation quickly surged, with the cybersecurity group seeing assaults involving AWS credential theft, malware deployment (botnets), and cryptocurrency miners.
Sysdig has noticed refined assaults involving the deployment of EtherRAT, which the corporate described as a persistent entry implant “that mixes strategies from not less than three documented campaigns right into a single, beforehand unreported assault chain.”Commercial. Scroll to proceed studying.
“EtherRAT leverages Ethereum sensible contracts for command-and-control (C2) decision, deploys 5 unbiased Linux persistence mechanisms, and downloads its personal Node.js runtime from nodejs.org,” the safety agency defined. “This mix of capabilities has not been beforehand noticed in React2Shell exploitation.”
Sysdig’s evaluation unearthed overlaps with the North Korea-linked marketing campaign dubbed Contagious Interview, through which menace actors ship malware to individuals related to cryptocurrency and blockchain applied sciences via faux job interviews. The final word purpose of the marketing campaign is the theft of cryptocurrency from victims.
Within the EtherRAT assault, React2Shell is exploited to execute a shell command for downloading and executing a shell script designed to deploy a JavaScript implant. This implant is a dropper that decrypts the principle payload, EtherRAT.
“The encrypted loader sample utilized in EtherRAT intently matches the DPRK-affiliated BeaverTail malware used within the Contagious Interview campaigns,” Sysdig mentioned.
It added, “Notably, whereas Lazarus Group and different DPRK-affiliated menace actors traditionally bundle Node.js with their payloads, the pattern we recognized downloads Node.js from the official nodejs.org distribution. This represents a big evolution in tradecraft: buying and selling a smaller payload dimension for diminished detection threat.”
Whereas the uncovered proof appears to level to Lazarus or a unique North Korean menace actor exploiting React2Shell because the preliminary supply vector (as a substitute for faux job interviews), the safety agency admits it’s additionally potential that “one other refined actor could also be combining strategies from a number of documented campaigns to complicate attribution”.
Associated: 5 Plead Responsible in US to Serving to North Korean IT Employees
Associated: North Korean Hackers Goal at European Drone Corporations
