Find notable cyber news and cases, enriched with sources, timelines, and signals.

EtherRAT remote access trojan with blockchain-based C2

Malware Activity
First reported
Last updated
Happening score
H score 31
2 unique sources, 2 articles

Summary

Hide ▲

EtherRAT is now a live Linux RAT threat because it combines Ethereum smart contracts for C2 with multiple persistence layers, making blocked infrastructure less effective. The implant’s Node.js-based execution chain increases the chance of long-lived compromise on infected systems. Its design matters because it supports persistent backdoor control and easier reconstitution of command-and-control.

Related Happenings

INFINITERED REDCap backdoor and credential harvester

Malware Activity
H score26 First: 15.06.2026 22:44 Last: 15.06.2026 22:44 Sources 1

About this happening: The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
H score23 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

EtherRAT Node.js backdoor with Ethereum smart-contract C2

Malware Activity
H score20 First: 26.03.2026 17:00 Last: 26.03.2026 17:00 Sources 1

About this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...

GlassWorm multi-stage data-theft malware evolution

Malware Activity
H score22 First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

GhostLoader staged npm install payload activity

Malware Activity
H score30 First: 24.03.2026 14:00 Last: 24.03.2026 14:00 Sources 1

About this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...

Timeline

  1. 09.12.2025 19:15 1 articles · 7mo ago

    React2Shell public disclosure

    Initial Disclosure

    React Server Components (RSCs) vulnerability CVE-2025-55182 was publicly disclosed on December 3, affecting React version 19 and related frameworks including Next.js, Waku, React Router and RedwoodSDK; shortly after disclosure, exploitation attempts were linked by AWS to Earth Lamia and Jackpot Panda, while other actors were also observed using React2Shell to install XMRig miners and credential harvesters targeting AWS configuration files and environment variables.

    Show sources
  2. 08.12.2025 02:00 2 articles · 7mo ago

    Sysdig identifies EtherRAT and DPRK-linked overlap

    Technical Analysis Update

    Sysdig Threat Research Team (TRT) analysis published on December 8 identified a novel implant delivered from a compromised Next.js application and named it EtherRAT. The malware leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, downloads Node.js from nodejs.org, and shows overlap with Contagious Interview tooling and BeaverTail patterns associated with North Korea-linked activity, suggesting possible DPRK-linked tradecraft or tooling sharing.

    Show sources