EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2

Sysdig Threat Research Team analyzed EtherRAT, a fileless Node.js implant deployed via the React2Shell RCE that uses an Ethereum smart contract as immutable C2; the multi-stage toolkit includes host reconnaissance (with CIS-region exclusion), extensive credential and cryptocurrency seed harvesting (BIP39-aware and secp256k1-validated), a self-spreading Next.js/React2Shell worm that scans both Internet and private IP ranges, web-server redirect hijacking for monetization, and an SSH backdoor for persistence—live payloads and multiple IOCs (smart contract, deployer/funding wallets, C2 IPs, URLs, SSH key fingerprint, filesystem artifacts, and network signatures) were recovered and documented.