EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware Activity
Summary
Hide ▲
Show ▼
The EtherRAT malware activity centers on a Node.js-based backdoor that uses Ethereum smart contracts to hide and rotate C2 infrastructure. In a React2Shell attack, Sysdig says the implant was recovered from a compromised Next.js application two days after disclosure of CVE-2025-55182 and aligns with North Korea-linked Contagious Interview tooling. The malware uses a Node.js loader chain, five Linux persistence mechanisms, and blockchain-based C2 to make disruption and takedown harder.
Related Happenings
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware Activity
First: 17.04.2026 22:10
Last: 17.04.2026 22:10
Sources 1
About this happening:
**Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware ActivityAbout this happening: **Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
STX RAT attempted deployment in financial services environment
Malware Activity
First: 09.04.2026 18:00
Last: 09.04.2026 18:00
Sources 1
About this happening:
A previously undocumented **STX RAT** attempted deployment in a **financial services environment** exposed a stealthy RAT with **credential theft** and **remote-control** capabili...
STX RAT attempted deployment in financial services environment
Malware ActivityAbout this happening: A previously undocumented **STX RAT** attempted deployment in a **financial services environment** exposed a stealthy RAT with **credential theft** and **remote-control** capabili...
Timeline
-
26.03.2026 17:00 3 articles · 2mo ago
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Initial DisclosureInitial access used **ClickFix** attacks and **IT support scams over Microsoft Teams**, with **QuickAssist** remote access preceding deployment of the **Node.js-based backdoor**.
Show sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
- North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks — www.bleepingcomputer.com — 09.12.2025 17:43