Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware family

north_korea_linked_threat_actors

Also known asNorth Korea-linked threat actors

North Korea-linked threat actors observed exploiting the critical React framework vulnerability React2Shell (CVE-2025-55182) in React Server Components. The vulnerability enables unauthenticated remote code execution via a single HTTP request and has seen widespread exploitation activity after a public patch release on 2025-12-03. In reported campaigns, North Korea-linked actors deployed a previously undocumented remote access trojan, EtherRAT, delivered via React2Shell. EtherRAT uses Ethereum smart contracts for command-and-control resolution, downloads its own Node.js runtime from nodejs.org, and implements five independent Linux persistence mechanisms. Activity is described in the context of broader nation-state exploitation of React2Shell (also attributed in reporting to China- and Iran-linked actors), with targeting focused on cloud environments and workloads running React and related frameworks.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics15 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1204
User Execution
TA0003
Persistence
1 technique
T1547
Boot or Logon Autostart Execution
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
TA0006
Credential Access
2 techniques
T1110
Brute Force
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
1 technique
T1082
System Information Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1090
Proxy
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
NimDoorNorth Korea-linked threat actors are targeting Web3 and crypto firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update.1Mar 18, 2026
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
securitysenses blogNews
Dec 15, 2025
December 15, 2025 Cyber Threat Intelligence Briefing

Exploiting the React2Shell vulnerability to deliver EtherRAT, a new remote access trojan that uses Ethereum smart contracts for C2 and multiple Linux persistence mechanisms.

Read more
bank info securityNews
Dec 15, 2025
Nation-State and Cybercrime Exploits Tied to React2Shell

Exploiting React2Shell to deploy EtherRAT for remote access and persistence.

Read more
securityaffairsNews
Nov 5, 2025
U.S. sanctioned North Korea bankers for laundering funds linked to cyberattacks and peapons program

Engaged in large-scale cyber-enabled espionage, disruptive cyberattacks, and financial theft, primarily targeting cryptocurrency to fund North Korea's nuclear weapons and ballistic missile programs. They use advanced malware, social engineering, and IT worker fraud to generate revenue and launder funds through international financial networks.

Read more
securityaffairsNews
Jul 5, 2025
North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

Conducting targeted cyber-espionage and data theft campaigns against Web3 and crypto-related businesses using sophisticated macOS malware (NimDoor) distributed via social engineering and fake software updates.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.