China-nexus threat groups and North Korea–linked operators are rapidly weaponizing the maximum-severity React2Shell vulnerability (CVE-2025-55182), with researchers now observing a sophisticated new implant that goes well beyond the credential theft and cryptomining seen in early attacks.
According to AWS Security, early exploitation attempts observed across their cloud environment primarily involved mass automated scanning, rapid-fire Remote Code Execution (RCE) probing using public PoC payloads, deployment of simple reverse shells, and opportunistic cryptomining droppers.
On Dec. 5, two days after the vulnerability became public, the Sysdig Threat Research Team recovered a previously undocumented payload, dubbed EtherRAT, from a compromised Next.js application.
Unlike earlier, more opportunistic React2Shell exploitation, EtherRAT emphasizes stealth, persistence, and long-term access.
For context, CVE-2025-55182 is an unsafe deserialization flaw in React Server Components that enables unauthenticated remote code execution through a single HTTP request. The issue affects React 19.x and Next.js 15.x/16.x when using App Router. Public exploits appeared within hours of disclosure, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Dec. 5.
China and North Korean Operations
Sysdig said China-nexus operators (including Earth Lamia, Jackpot Panda, and UNC5174) were the first to operationalize public Proof-of-Concept (PoC) code, deploying Cobalt Strike, Sliver, and Vshell backdoors. These campaigns rely on hardcoded infrastructure and lightweight post-exploitation tools.
EtherRAT, by contrast, reflects DPRK-style tactics. The implant executes through a four-stage JavaScript-heavy chain, downloads its own Node.js runtime, and establishes five separate Linux persistence mechanisms.
Its most distinctive capability is blockchain-based command-and-control (C2): EtherRAT retrieves its C2 address from an Ethereum smart contract using consensus across nine public RPC endpoints to prevent poisoning or takedowns.
Sysdig’s analysis noted overlap with techniques seen in the DPRK-linked “Contagious Interview” campaigns, though the delivery vector and persistence footprint differ significantly. This may indicate shared tooling across DPRK clusters, or a separate actor mimicking their methods to complicate attribution.
The researchers recommend prioritizing patching across all React 19.x and Next.js deployments and monitoring for indicators such as unexpected downloads, outbound traffic to multiple Ethereum RPC endpoints, or hidden user-level systems services.
Security teams should also review web server logs for repeated exploitation attempts, as attackers are actively iterating on public PoC code.
