EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2

Sysdig Threat Research Team uncovered EtherRAT, a fileless Node.js implant deployed via the React2Shell exploit (CVE-2025-55182) that uses an Ethereum smart-contract for resilient C2. EtherRAT comprises reconnaissance (with a CIS-locale exclusion), an advanced cryptocurrency- and cloud-credential harvester (BIP39-aware), a self-spreading Next.js worm that targets private and public IP ranges, a web-server hijacker used for traffic monetization, and an SSH key backdoor; live payloads, C2 history, and comprehensive IOCs are provided, while attribution remains ambiguous between DPRK-linked patterns and CIS-associated tradecraft.