EtherRAT remote access trojan with blockchain-based C2
Malware Activity
Summary
Hide ▲
Show ▼
EtherRAT is now a live Linux RAT threat because it combines Ethereum smart contracts for C2 with multiple persistence layers, making blocked infrastructure less effective. The implant’s Node.js-based execution chain increases the chance of long-lived compromise on infected systems. Its design matters because it supports persistent backdoor control and easier reconstitution of command-and-control.
Related Happenings
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware Activity
First: 26.03.2026 17:00
Last: 26.03.2026 17:00
Sources 1
About this happening:
The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware ActivityAbout this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
GlassWorm multi-stage data-theft malware evolution
Malware Activity
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GhostLoader staged npm install payload activity
Malware Activity
First: 24.03.2026 14:00
Last: 24.03.2026 14:00
Sources 1
About this happening:
**GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
GhostLoader staged npm install payload activity
Malware ActivityAbout this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Timeline
-
09.12.2025 19:15 1 articles · 5mo ago
React2Shell public disclosure
Initial DisclosureReact Server Components (RSCs) vulnerability CVE-2025-55182 was publicly disclosed on December 3, affecting React version 19 and related frameworks including Next.js, Waku, React Router and RedwoodSDK; shortly after disclosure, exploitation attempts were linked by AWS to Earth Lamia and Jackpot Panda, while other actors were also observed using React2Shell to install XMRig miners and credential harvesters targeting AWS configuration files and environment variables.
Show sources
- React2Shell Exploit Campaigns Tied to North Korean Cyber Intrusion Tactics — www.infosecurity-magazine.com — 09.12.2025 19:15
-
08.12.2025 02:00 2 articles · 5mo ago
Sysdig identifies EtherRAT and DPRK-linked overlap
Technical Analysis UpdateSysdig Threat Research Team (TRT) analysis published on December 8 identified a novel implant delivered from a compromised Next.js application and named it EtherRAT. The malware leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, downloads Node.js from nodejs.org, and shows overlap with Contagious Interview tooling and BeaverTail patterns associated with North Korea-linked activity, suggesting possible DPRK-linked tradecraft or tooling sharing.
Show sources
- React2Shell Exploit Campaigns Tied to North Korean Cyber Intrusion Tactics — www.infosecurity-magazine.com — 09.12.2025 19:15
- North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware — thehackernews.com — 09.12.2025 20:25