EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks

EtherRAT is a sophisticated, persistent Node.js implant delivered via the React2Shell RCE (CVE-2025-55182) that downloads a Node.js runtime, decrypts and runs an obfuscated payload, resolves C2 using an Ethereum smart contract queried across multiple RPC endpoints (consensus-based), establishes five independent Linux persistence mechanisms, and supports remote execution and one-time self-updates; the report includes IOCs, detection and mitigation guidance, and notes partial overlap with DPRK-linked tooling.