North Korean-linked threat actors are exploiting the critical React2Shell flaw to deploy EtherRAT, a sophisticated remote access trojan that uses Ethereum smart contracts for command-and-control. This campaign, known as Contagious Interview, targets Web3 developers through fake job offers and leverages the npm ecosystem for malware distribution. #NorthKorea #EtherHiding
Keypoints
- Threat actors use an unpatched React Server Components vulnerability (CVE-2025-55182) to deliver malware.
- EtherRAT leverages Ethereum smart contracts for resilient command-and-control communication.
- The malware employs multiple persistence mechanisms to maintain long-term access.
- The campaign involves social engineering tactics such as fake job interviews and coding assignments.
- There is a noted shift from npm to Vercel hosting and exploitation via Visual Studio Code repositories.
Read More: https://thehackernews.com/2025/12/north-korea-linked-actors-exploit.html