Find notable cyber news and cases, enriched with sources, timelines, and signals.

EtherRAT Node.js backdoor with Ethereum smart-contract C2

Malware Activity
First reported
Last updated
Happening score
H score 20
2 unique sources, 2 articles

Summary

Hide ▲

The EtherRAT malware activity centers on a Node.js-based backdoor that uses Ethereum smart contracts to hide and rotate C2 infrastructure. In a React2Shell attack, Sysdig says the implant was recovered from a compromised Next.js application two days after disclosure of CVE-2025-55182 and aligns with North Korea-linked Contagious Interview tooling. The malware uses a Node.js loader chain, five Linux persistence mechanisms, and blockchain-based C2 to make disruption and takedown harder.

Related Happenings

INFINITERED REDCap backdoor and credential harvester

Malware Activity
H score26 First: 15.06.2026 22:44 Last: 15.06.2026 22:44 Sources 1

About this happening: The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...

BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

Malware Activity
H score40 First: 08.06.2026 13:27 Last: 08.06.2026 13:27 Sources 1

About this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Inactive maintainer account 'atiertant' hit by network compromise

Incident
H score13 First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
H score34 First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

Timeline

  1. 26.03.2026 17:00 3 articles · 3mo ago

    EtherRAT Node.js backdoor with Ethereum smart-contract C2

    Initial Disclosure

    Initial access used **ClickFix** attacks and **IT support scams over Microsoft Teams**, with **QuickAssist** remote access preceding deployment of the **Node.js-based backdoor**.

    Show sources