Inside EtherRAT: Blockchain-Powered Malware Delivery
On December 8 2025, the Sysdig Threat Research Team (TRT) reported that an APT-level threat actor had deployed EtherRAT, a novel Ethereum-based implant, in React2Shell attacks. The malware goes beyond the initial React2Shell cryptomining attacks, blending command and control (C2) traffic into blockchain activity and aggressively harvesting credentials.
Emerging quickly after the disclosure of the critical React2Shell vulnerability (CVE-2025-55182), EtherRAT represents a significant evolution in attacker tradecraft, blending blockchain-based command and control (C2) with advanced persistence and multi-module capabilities.
In this 30-minute briefing, Sysdig Threat Research breaks down how this implant leverages the Ethereum blockchain for resilient and hard-to-block C2, executes all payloads in memory using Node.js, and delivers five distinct operational modules post-compromise: system reconnaissance, credential harvesting, a self-propagating worm, web server hijacking, and SSH backdoor installation.
The session explores:
- The unique blockchain C2 design and how it complicates traditional detection and takedown efforts
- The role of fileless execution and Node.js runtime abuse in evading security controls
- Real-world implications for defenders and how cloud security teams can improve threat visibility and response
Presenters
- Crystal Morin — Senior Cybersecurity Strategist @ Sysdig
- Michael Clark — Senior Director, Sysdig Threat Research
