North Korea-Linked Hackers Deploy EtherRAT via React2Shell

North Korea-Linked Hackers Deploy EtherRAT via React2Shell

North Korean threat actors have been observed exploiting the React2Shell vulnerability (CVE-2025-66478) to deploy a new Remote Access Trojan dubbed EtherRAT, specifically targeting cryptocurrency exchanges and DeFi platforms.

Threat Actor Profile

| Attribute | Details | |-----------|---------| | Attribution | Lazarus Group / APT38 | | Target Sectors | Cryptocurrency, DeFi, FinTech | | Initial Access | React2Shell (CVE-2025-66478) | | Payload | EtherRAT |

Campaign Analysis

Attack Chain

  1. Reconnaissance: Scanning for vulnerable Next.js applications in crypto/DeFi sector
  2. Exploitation: Deploying React2Shell payloads against Server Actions
  3. Persistence: Installing EtherRAT backdoor
  4. Lateral Movement: Targeting hot wallet infrastructure
  5. Exfiltration: Cryptocurrency theft

EtherRAT Capabilities

The malware exhibits sophisticated functionality:

  • Wallet Harvesting: Extracts private keys from browser extensions
  • Transaction Manipulation: Modifies clipboard contents to redirect transfers
  • Keylogging: Captures credentials and seed phrases
  • Screen Capture: Monitors trading activities
  • Persistence: Survives reboots through multiple mechanisms

Indicators of Compromise (IOCs)

# C2 Domains
update-service[.]crypto-cdn[.]net
api-gateway[.]defi-node[.]io

# File Hashes (SHA256)
a3f8d2e1b4c5... (EtherRAT loader)
7e9f1a2b3c4d... (Main payload)

# Network Signatures
POST /api/sync HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; ServiceWorker)

Defensive Recommendations

  1. Patch Immediately: Update all Next.js applications
  2. Network Monitoring: Block known C2 infrastructure
  3. Endpoint Detection: Deploy EDR with behavioral analysis
  4. Wallet Security: Use hardware wallets for significant holdings
  5. Code Review: Audit Server Actions for input validation

Why This Matters

Nation-state actors are increasingly targeting web application vulnerabilities for financial gain. Organizations must:

  • Maintain continuous vulnerability scanning
  • Monitor for emerging CVEs affecting their stack
  • Implement defense-in-depth strategies

RaptorX continuously monitors for exploitation attempts of known CVEs and can detect EtherRAT deployment indicators during security assessments.

Read full threat intelligence report →

RaptorX

Autonomous AI agent for red team assessments and VAPT

SOC 2 Type II Certified

SOC 2 Type II

Certified

ISO 27001 Compliant

ISO 27001

Compliant

Resources

DocumentationAPI ReferenceBlogCase StudiesPricing

Company

About UsCareersContactPartnersSecurity Portal

Legal

Privacy PolicyTerms of ServiceCookie PolicySecurity & Compliance

© 2025 RaptorX. All rights reserved.

Built with enterprise-grade security and compliance