EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks

On Dec 5, 2025 Sysdig Threat Research Team recovered and analyzed EtherRAT, a sophisticated persistent Node.js backdoor deployed via React Server Components RCE (CVE-2025-55182). EtherRAT uses a staged dropper that downloads Node.js from nodejs.org, decrypts an obfuscated payload, resolves C2 via an Ethereum smart contract with a nine-endpoint consensus mechanism, polls for and executes operator-sent JavaScript, implements five independent Linux persistence methods, and supports in-field self-updating; the report includes IOCs, hunting/detection guidance, and discussion of possible DPRK-related tool overlap.