Overview
- Sysdig recovered the previously undocumented EtherRAT from a compromised Next.js application days after the disclosure of the critical React2Shell flaw CVE-2025-55182.
- The implant resolves its command server via an Ethereum smart contract using majority consensus across nine public RPC providers to resist takedowns and single-node poisoning.
- EtherRAT establishes five redundant Linux persistence methods—cron jobs, .bashrc injection, XDG autostart, a systemd user service, and profile injection—to maintain access.
- The attack chain downloads a legitimate Node.js runtime from nodejs.org, executes an obfuscated JavaScript dropper that decrypts an AES-256-CBC payload, and then launches the implant.
- Sysdig reports overlaps with North Korea-linked Contagious Interview and BeaverTail tooling but does not confirm attribution, and advises urgent patching of React/Next.js services, hunts for the listed persistence artifacts, monitoring of Ethereum RPC traffic, and credential rotation.