Next-Gen Malware: EtherRAT Uses Ethereum Smart Contract for Stealth C2
The emergence of a new malicious tool within the React2Shell attack chain has become a notable development amid the surge of compromises that followed the disclosure of CVE-2025-55182. This time, the activity goes far beyond the previously observed attempts to deploy cryptominers or rudimentary data stealers. The Sysdig Threat Research Team has identified an unusual component dubbed EtherRAT, which blends techniques from multiple campaigns and reflects a marked increase in the attackers’ level of sophistication.
Sysdig researchers discovered EtherRAT on December 5 inside a compromised Next.js application, just two days after the critical vulnerability in React Server Components was made public. The flaw allows arbitrary code execution via a single HTTP request and was swiftly abused by various threat actors. However, this new attack scenario stands apart for its depth and careful design. Rather than relying on simple shell commands and hard-coded command-and-control servers, it employs a custom loader chain, an external JavaScript component, and a blockchain-based control mechanism.
The intrusion unfolds in four distinct stages. First, an encoded command is executed to launch a loader that attempts to retrieve a script through multiple methods and restarts the process upon failure. Next, an official Node.js distribution is downloaded to the system, helping to camouflage malicious activity within legitimate traffic. This is followed by the execution of an encrypted component that decrypts the core payload. The final stage installs the persistent EtherRAT module, which establishes a durable foothold and maintains communication with its operators.
The most striking feature is the command-and-control system built around an Ethereum smart contract. The malware periodically queries the contract to obtain the current address of the control server. It leverages nine public RPC nodes and selects the final address based on majority consensus, making redirection or blocking exceedingly difficult. While similar ideas have appeared in certain malicious NPM packages, EtherRAT’s implementation is markedly more robust and resilient.
Once the server address is obtained, the malware begins continuous polling, disguising its network activity as routine static resource downloads. If the server returns executable code, it is run as JavaScript with access to system-level functions, granting operators full remote control.
To ensure persistence, EtherRAT employs five separate autostart mechanisms: a user-level systemd service, an XDG startup entry, a cron job, and modifications to both .bashrc and .profile. The use of multiple independent persistence channels significantly increases the likelihood of survival across reboots and administrative intervention.
Additional stealth is provided by a self-update capability. Upon the first successful connection, the module transmits its own code to the server, receives a modified version in return, and replaces itself with the new build. This behavior complicates analysis and undermines signature-based detection methods.
Judging by the techniques employed, EtherRAT bears similarities to tools previously associated with North Korean-linked operations, including elements reminiscent of the Contagious Interview campaign. At the same time, its more aggressive persistence strategy, novel entry vector, and advanced control mechanisms suggest either an evolution of existing toolsets or the reuse of shared development resources across different groups. The observed activity differs markedly from that of Chinese actors seen exploiting React2Shell, who largely relied on familiar backdoors such as Cobalt Strike and employed fewer persistence techniques.
Researchers emphasize the importance of monitoring connections to Ethereum nodes, as well as anomalous requests to nodejs.org and the downloading of scripts with arbitrary filenames. Since EtherRAT relies on randomized directories and hidden files, defenders are advised to focus on behavioral indicators rather than fixed paths or filenames.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
