North Korean APT Exploits Critical React2Shell Vulnerability to Deploy EtherRAT Backdoor

Sysdig researchers have identified a cyber espionage campaign attributed to North Korean state-sponsored actors exploiting the critical React2Shell vulnerability (CVE-2025-55182). This pre-authentication remote code execution flaw in React allows unauthenticated attackers to execute arbitrary code on affected systems. The attackers are deploying a new remote access Trojan (RAT) named EtherRAT, which provides persistent remote access to compromised systems. The campaign highlights the ongoing threat posed by state-sponsored actors exploiting vulnerabilities in widely used web frameworks. Attribution to North Korean actors is based on observed tactics, techniques, and procedures (TTPs) consistent with previous campaigns linked to the country. Specific targets and the full scope of the campaign remain undisclosed. This campaign underscores the importance of timely patching and robust detection capabilities. Organizations using React in their web applications should prioritize addressing this vulnerability to mitigate the risk of exploitation. The deployment of EtherRAT following initial compromise emphasizes the need for comprehensive post-exploitation detection mechanisms.