EtherRAT remote access trojan with blockchain-based C2
Malware Activity
Summary
Hide ▲
Show ▼
EtherRAT is now a live Linux RAT threat because it combines Ethereum smart contracts for C2 with multiple persistence layers, making blocked infrastructure less effective. The implant’s Node.js-based execution chain increases the chance of long-lived compromise on infected systems. Its design matters because it supports persistent backdoor control and easier reconstitution of command-and-control.
Related Happenings
INFINITERED REDCap backdoor and credential harvester
Malware Activity
H score26
First: 15.06.2026 22:44
Last: 15.06.2026 22:44
Sources 1
About this happening:
The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...
INFINITERED REDCap backdoor and credential harvester
Malware ActivityAbout this happening: The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware Activity
H score20
First: 26.03.2026 17:00
Last: 26.03.2026 17:00
Sources 1
About this happening:
The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware ActivityAbout this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...
GlassWorm multi-stage data-theft malware evolution
Malware Activity
H score22
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GhostLoader staged npm install payload activity
Malware Activity
H score30
First: 24.03.2026 14:00
Last: 24.03.2026 14:00
Sources 1
About this happening:
**GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
GhostLoader staged npm install payload activity
Malware ActivityAbout this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
Timeline
-
09.12.2025 19:15 1 articles · 7mo ago
React2Shell public disclosure
Initial DisclosureReact Server Components (RSCs) vulnerability CVE-2025-55182 was publicly disclosed on December 3, affecting React version 19 and related frameworks including Next.js, Waku, React Router and RedwoodSDK; shortly after disclosure, exploitation attempts were linked by AWS to Earth Lamia and Jackpot Panda, while other actors were also observed using React2Shell to install XMRig miners and credential harvesters targeting AWS configuration files and environment variables.
Show sources
- React2Shell Exploit Campaigns Tied to North Korean Cyber Intrusion Tactics — www.infosecurity-magazine.com — 09.12.2025 19:15
-
08.12.2025 02:00 2 articles · 7mo ago
Sysdig identifies EtherRAT and DPRK-linked overlap
Technical Analysis UpdateSysdig Threat Research Team (TRT) analysis published on December 8 identified a novel implant delivered from a compromised Next.js application and named it EtherRAT. The malware leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, downloads Node.js from nodejs.org, and shows overlap with Contagious Interview tooling and BeaverTail patterns associated with North Korea-linked activity, suggesting possible DPRK-linked tradecraft or tooling sharing.
Show sources
- React2Shell Exploit Campaigns Tied to North Korean Cyber Intrusion Tactics — www.infosecurity-magazine.com — 09.12.2025 19:15
- North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware — thehackernews.com — 09.12.2025 20:25