Threat Group – DPRK linked operators with overlaps to earlier blockchain focused campaigns and China nexus groups exploiting React2Shell in parallel for other payloads
Threat Type – Remote access trojan deployed through a critical web application remote code execution vulnerability
Exploited Vulnerabilities – CVE-2025-55182 React2Shell unsafe deserialisation in the React Server Components Flight protocol under default configurations
Malware Used – EtherRAT Ethereum backed implant delivered via shell based stagers, Node.js runtime abuse and multi stage persistence
Threat Score – 8.7 🔥 Critical due to unauthenticated exploitation, broad framework impact, resilient blockchain based command and control and aggressive persistence, combined with confirmed activity by advanced state linked operators
Last Threat Observation – EtherRAT campaigns publicly reported and analysed from 8 December 2025 onward

Overview

React2Shell is a critical unauthenticated remote code execution flaw in the React Server Components Flight protocol. Attackers can send a single crafted HTTP request to gain code execution under default configurations of multiple frameworks, including React 19 Server Components and App Router based Next.js deployments.

Exploitation in the wild has split into two streams. China nexus groups such as Earth Lamia and Jackpot Panda weaponised the bug for cryptomining, theft of cloud credentials, and general access to cloud infrastructure. In parallel, DPRK aligned actors deployed EtherRAT, a stealth implant that uses a legitimate Node.js runtime, encrypted payloads, five layers of persistence, and Ethereum based command resolution with consensus voting across multiple remote procedure call endpoints.

React2Shell combined with EtherRAT is therefore not only a framework patching issue. It is an active intrusion vector for advanced espionage focused campaigns against cloud native environments.

Vulnerability Analysis React2Shell CVE-2025-55182

Architectural flaw in React Server Components

CVE-2025-55182 is a deserialisation logic flaw in the React Server Components Flight protocol. The server decodes structured payloads that represent component trees and server functions. When handling form data and server actions, the React Server Components path reconstructs JavaScript objects without sufficiently strict type validation.

Attackers exploit this lax validation to inject gadget objects that React treats as legitimate. These gadgets override internal fields so that when the server later reads data from a reconstructed object, it actually invokes a Function constructor with attacker supplied source. Function behaves like an eval primitive for string input, so this directly yields remote code execution in the Node.js process.

Technical mechanics of the exploit chain

Exploitation is highly reliable and does not require authentication. A single crafted HTTP POST to a server action endpoint is sufficient, and researchers report very high success rates against default configurations.

The payload is a Flight stream made of numbered chunks. The core idea is to replace internal objects with attacker controlled variants that hijack how form data is read.

Gadget construction

Three main elements are involved

• Execution primitive
  An array placeholder is created and its constructor chain is abused. In JavaScript, an array’s constructor is Array and Array.constructor resolves to Function. By wiring internal fields such as _formData.get to a reference that resolves to this constructor chain, the gadget causes the deserialiser to treat Function as the method used to retrieve data. When that method is later called with attacker controlled content, it effectively runs Function(payload_string).
• Response mimic
  Another object is crafted to resemble an internal response structure. A prefix field carries the malicious JavaScript or a wrapper that invokes a shell. The form data getter property points to the Function gadget. Reading from this response then executes the attacker function instead of returning harmless data.
• Trigger chain
  The initial chunk sets up a promise chain that references the crafted objects. When the server resolves this chain as part of normal processing, it eventually calls the malicious getter and runs the Function payload.

The flow is deterministic and does not rely on memory corruption. It is a pure logic error in how untrusted data is treated as trusted internal state.

Affected frameworks and scope

React2Shell is often misunderstood as a Next.js only issue. In reality it affects any server deployment that uses vulnerable React Server Components libraries or the Flight protocol.

Table 1 Affected software and versions

Organisations must audit any web application using React 19 Server Components or the frameworks listed above. The vulnerability is present under default settings, without any special misconfiguration.

Threat Intelligence and Actor Landscape

Opportunistic exploitation

Soon after disclosure, multiple China nexus groups including Earth Lamia and Jackpot Panda began scanning for and exploiting React2Shell. Their goals include cryptomining, theft of cloud credentials, and general cloud access.

Typical characteristics

• Payloads that deploy Monero miners
• Scripts that scrape environment variables and cloud provider keys
• Noticeable CPU load and obvious long running processes
• Traffic to mining or commodity attacker infrastructure

These campaigns are noisy and often act as a warning that a server remains unpatched.

EtherRAT as the high value signal

The EtherRAT campaign, attributed to DPRK linked operators, sits at the high end of the threat spectrum.

Key traits

• Tradecraft overlaps with earlier efforts that targeted blockchain developers and crypto organisations through social engineering and supply chain activity
• Shift from client side targeting to direct exploitation of server side vulnerabilities such as React2Shell
• Focus on persistence and stealth rather than quick resource theft
• Use of legitimate binaries, multiple persistence methods, and blockchain based command infrastructure

Ignoring EtherRAT while only removing cryptominers leaves the organisation exposed to serious espionage risk.

Malware Analysis EtherRAT Infection Chain

EtherRAT uses a staged infection chain optimised for reliability, stealth, and survivability.

Stage 1 initial access and staging

After successful React2Shell exploitation, the attacker runs a base64 encoded shell one liner as a stager.

• The stager attempts to download a shell script, often named with a short suffix such as s.sh, using curl first, then wget, then python3 as fallbacks
• It operates in a retry loop for several minutes to ride out transient failures and ensure the script is retrieved

Stage 2 environment preparation and evasion

When the shell script executes it prepares a local environment that looks legitimate and blends into normal activity.

• It downloads a signed Node.js runtime, typically version 20.10.0, from the official distribution infrastructure
• It creates hidden directories under the user’s home path, usually under .local/share with random hexadecimal names
• It deletes the initial shell script after use to reduce obvious forensic traces

Using a signed and widely trusted runtime is a deliberate evasion tactic against traditional endpoint detection.

Stage 3 payload deployment

The script then writes two key files into the hidden directory

• An encrypted payload blob that contains the EtherRAT logic
• An obfuscated JavaScript dropper that can decrypt and execute the payload

Execution then proceeds by running the dropper with the downloaded Node.js binary, usually under a detached process with output redirected to a null device so there are no clear console logs.

Stage 4 command and control through EtherHiding

EtherRAT’s defining feature is its Ethereum based command resolution.

• Instead of a hard coded domain, the malware talks to a specific Ethereum smart contract that stores the current command endpoint
• Observed samples query a particular contract address using standard remote procedure calls
• The implant contacts multiple public Ethereum endpoints in parallel, then uses a majority vote across responses to decide which value to trust

This provides strong resilience

• The contract cannot simply be removed by taking down a single server
• Blocking one remote procedure call endpoint does not break communication
• Defenders cannot easily deceive the implant with a single poisoned node due to the consensus step

Persistence Mechanisms The Aggressive Five

EtherRAT uses five overlapping persistence techniques. All must be checked and cleared during remediation.

Table 2 EtherRAT persistence vectors

The malware also tracks persistence state locally to avoid writing duplicate entries, which reduces noisy errors and makes manual inspection harder.

Detection Engineering and Indicators of Compromise

Effective detection combines network signatures, host forensics, and behavioural analytics.

Network detection

Key points for web application firewalls, intrusion detection systems, and proxy controls

• Monitor HTTP POST requests that include headers such as next-action or rsc-action-id combined with suspicious Flight payload bodies
• Look for Flight bodies containing markers like $@ and "status":"resolved_model" in unexpected contexts
• Flag outbound encrypted traffic from web servers to public Ethereum endpoints using eth_call, especially where the payload references the EtherRAT contract
• Hunt for connections from web servers to the EtherRAT command node on a non standard port
• Inspect periodic GET requests to static looking paths that end in image extensions against suspicious infrastructure
• Look for presence of a custom header such as X-Bot-Server in outbound traffic patterns

Host based forensics

Host indicators provide confirmation that exploitation has led to malware deployment.

• Hidden directories in user homes matching patterns such as .local/share/. followed by eight hexadecimal characters
• Node.js binaries running from user directories instead of standard system locations
• Detached processes owned by web service accounts that execute from hidden paths under .local/share
• Modified user profile files with appended nohup launch lines referencing a hidden Node.js path

Confirmed SHA-1 hashes reported in the wild include

• 6e43e26fa62dfa89fe8b016dc831a9ec44507af9 initial downloader script
• 34551bca762be99d732c0ced6ad8b0a2f7b11ad7 encrypted EtherRAT payload
• c67e8aa881317cb32d7c36b2e3c0c5cfa21bf5e3 JavaScript dropper
• 7fe3826fc7b90e20c9fe76a7891eff350d73b6b3 additional malware artefact

YARA detection rule

rule EtherRAT_Persistence_Config {
meta:
description = "Detects EtherRAT persistence files (Systemd/XDG)"
author = "Cyber Security Advisory Team"
date = "2025-12-10"
severity = "Critical"
reference = "CVE-2025-55182"
strings:
$systemd_desc = "Description=User Application Service" ascii
$systemd_exec = "ExecStart=" ascii
$systemd_rest = "Restart=always" ascii

$xdg_hide = "Hidden=true" ascii
$xdg_nodisp = "NoDisplay=true" ascii
$xdg_gnome = "X-GNOME-Autostart-enabled=true" ascii

$path_marker = "/.local/share/." ascii
condition:
($systemd_desc and $systemd_exec and $systemd_rest and $path_marker) or
($xdg_hide and $xdg_nodisp and $xdg_gnome and $path_marker)
}

This rule focuses on the persistence configuration files rather than the main payload, which helps even if the binary re-obfuscates itself.

Sigma rule for process chain analysis

title: React2Shell Exploitation Chain
id: react2shell-exploit-behavior
status: experimental
description: Detects a web server process spawning shell commands to download files, indicative of React2Shell exploitation.
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/node'
- '/npm'
- '/next-server'
selection_child:
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
selection_cmd:
CommandLine|contains:
- 'curl'
- 'wget'
- 'python'
- 'base64'
- '.local/share'
condition: selection_parent and selection_child and selection_cmd
falsepositives:
- CI/CD pipelines running on the same host
level: critical

This pattern highlights chains where a React or Next.js server process spawns a shell that runs curl or wget to write into .local/share, which is highly suspicious on production web hosts.

Mitigation and Prevention

Immediate containment

Where possible, apply both network and application level controls while patching is prepared.

• Enable managed rule sets in web application firewalls that include coverage for CVE-2025-55182
• Add specific rules that block POST requests with React Server Components action headers when the body matches Flight exploit markers
• Segment web servers and restrict outbound traffic to only required destinations
• Block or tightly control outbound access to known EtherRAT command nodes and to generic Ethereum endpoints where they are not required for business logic

Patching strategy

Patching the underlying frameworks is the only durable fix.

• Upgrade React Server Components dependencies to patched releases in the 19.x line
• Upgrade Next.js to patched lines that include updated React Server Components and Flight handling
• For frameworks such as React Router, Redwood, Waku, and Vite React Server Components, apply vendor guidance and ensure the underlying React Server Components packages are patched
• After updating dependencies, rebuild and redeploy applications and verify resolved versions in lock files to ensure the vulnerable library is no longer in use

Response for confirmed EtherRAT compromise

If indicators from earlier sections are present

• Avoid partial manual cleaning that targets only visible files, because a single remaining persistence mechanism can re-launch the implant
• Take a snapshot of the affected instance for forensic analysis and potential legal or intelligence use
• Isolate the asset from the network
• Rebuild the workload from a known good image or infrastructure as code definition rather than reusing the compromised host
• Rotate all secrets and credentials that may have been accessible to the Node.js process, including cloud keys, database passwords, and API tokens

Risk Assessment

EtherRAT delivered through React2Shell represents a convergence of a widely deployed critical vulnerability with advanced decentralised backdoor tradecraft.

Factors driving the 8.7 Critical score

• Maximum severity unauthenticated remote code execution across a large framework ecosystem
• Active exploitation in the wild by both China nexus and DPRK aligned actors
• Use of legitimate runtimes and aggressive persistence that complicate detection and response
• Novel Ethereum based command infrastructure with consensus voting across multiple endpoints that resists sinkholing and simple blocking
• Clear potential for follow on supply chain compromise and cloud control plane pivoting in affected environments

Organisations that operate React or Next.js based applications, especially in cloud native and containerised deployments, should assume they are attractive targets and adopt a proactive hunting posture.

Conclusion

React2Shell and EtherRAT define a new benchmark for server side threats in 2025. A core framework deserialisation flaw with a maximum severity rating has been combined with the stealth, persistence, and decentralised command capabilities of a state linked implant. Traditional perimeter defences and simple domain blocking are not sufficient.

IT and security teams must pair timely patching with deep inspection of web server behaviour, careful review of persistence locations, and strong outbound network controls. By applying the detection and remediation guidance in this advisory, organisations can materially reduce their exposure to EtherRAT and harden their infrastructure against future web based campaigns that will reuse the same ideas.

Appendix A Consolidated Indicators of Compromise

Table 3 Network Indicators

Table 4 File Hashes MD5

Table 5 Malicious URLs
(Displayed in defanged format: hxxp and [.] preserved)

Sources

AWS Security Blog – China nexus cyber threat groups rapidly exploit React2Shell vulnerability CVE-2025-55182 – https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

The Hacker News – North Korea linked actors exploit React2Shell to deploy new EtherRAT malware – https://thehackernews.com/2025/12/north-korea-linked-actors-exploit.html

OTX AlienVault – Indicators of Compromise – https://otx.alienvault.com/pulse/6938577d1df39d03f2dc4345