EtherRAT Malware Leverages Ethereum Smart Contracts for C2 Evasion and Cryptocurrency Theft
Summary
Hide ▲
Show ▼
A newly identified EtherRAT campaign employs Ethereum smart contracts to host and rotate command-and-control (C2) infrastructure, evading traditional takedown mechanisms. The malware, observed in a March 2026 retail sector incident response, delivers a Node.js-based backdoor after initial access via ClickFix attacks and Microsoft Teams–based IT support scams. Once deployed, EtherRAT exfiltrates system data, steals cryptocurrency wallets and cloud credentials, and blends malicious traffic with legitimate CDN requests. The attack chain includes obfuscated scripts, encrypted payloads, and Windows registry persistence, with C2 addresses retrieved dynamically from Ethereum smart contracts via public RPC endpoints. Operators can update C2 infrastructure by writing new data to contracts, enabling low-cost retooling and sustained access.
Timeline
-
26.03.2026 17:00 1 articles · 2h ago
EtherHiding: EtherRAT Adopts Ethereum Smart Contracts for C2 Rotation in Active Campaign
In March 2026, a Node.js-based EtherRAT backdoor was deployed in a retail sector incident via ClickFix attacks and Microsoft Teams IT support scams. The malware retrieves C2 addresses from Ethereum smart contracts via public RPC endpoints, enabling low-cost infrastructure rotation and traffic blending with legitimate CDN requests. Post-exploitation modules collect system metadata, steal cryptocurrency wallets and cloud credentials, and establish persistence through Windows registry modifications. Automated kill switches terminate execution in CIS region environments, indicating tactical counter-detection measures.
Show sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
Information Snippets
-
EtherRAT uses Ethereum smart contracts to store and rotate C2 addresses, a technique referred to as EtherHiding, to evade infrastructure takedowns and reduce operational costs.
First reported: 26.03.2026 17:001 source, 1 articleShow sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
-
The malware was deployed as a Node.js-based backdoor after initial access via ClickFix attacks and Microsoft Teams IT support scams, leveraging indirect command execution to bypass security restrictions.
First reported: 26.03.2026 17:001 source, 1 articleShow sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
-
EtherRAT retrieves C2 addresses from Ethereum smart contracts via public RPC providers and disguises its traffic as legitimate CDN requests to blend into network activity.
First reported: 26.03.2026 17:001 source, 1 articleShow sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
-
Post-infection, the malware performs extensive system fingerprinting, collecting public IP, CPU/GPU details, OS/hardware identifiers, antivirus status, domain/admin privileges, and language settings, with a kill switch if CIS region languages are detected.
First reported: 26.03.2026 17:001 source, 1 articleShow sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
-
The infection chain involves encrypted payloads, obfuscated scripts, and persistence via Windows registry keys, with cryptocurrency wallets and cloud credentials among the targeted data for theft.
First reported: 26.03.2026 17:001 source, 1 articleShow sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00