EtherRAT
EtherRAT is a malware campaign identified by Sysdig Threat Research Team in December 2025. It was observed exploiting the React2Shell vulnerability (CVE-2025-55182) as part of a multi-stage attack chain. The campaign uses Ethereum blockchain smart contracts for command and control. Sysdig described the activity as highly sophisticated and noted that it brought nation-state-style TTPs to React2Shell exploitation. Based on the provided content, EtherRAT is associated with exploitation of React Server Components environments vulnerable to React2Shell. Known alias in the provided content: etherrat.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.