EtherRAT Node.js backdoor with Ethereum smart-contract C2
Malware Activity
Summary
Hide ▲
Show ▼
The EtherRAT malware activity centers on a Node.js-based backdoor that uses Ethereum smart contracts to hide and rotate C2 infrastructure. In a React2Shell attack, Sysdig says the implant was recovered from a compromised Next.js application two days after disclosure of CVE-2025-55182 and aligns with North Korea-linked Contagious Interview tooling. The malware uses a Node.js loader chain, five Linux persistence mechanisms, and blockchain-based C2 to make disruption and takedown harder.
Related Happenings
INFINITERED REDCap backdoor and credential harvester
Malware Activity
H score26
First: 15.06.2026 22:44
Last: 15.06.2026 22:44
Sources 1
About this happening:
The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...
INFINITERED REDCap backdoor and credential harvester
Malware ActivityAbout this happening: The **INFINITERED** malware was deployed on **REDCap** servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojan...
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware Activity
H score40
First: 08.06.2026 13:27
Last: 08.06.2026 13:27
Sources 1
About this happening:
The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware ActivityAbout this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
Inactive maintainer account 'atiertant' hit by network compromise
Incident
H score13
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
H score34
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Timeline
-
26.03.2026 17:00 3 articles · 3mo ago
EtherRAT Node.js backdoor with Ethereum smart-contract C2
Initial DisclosureInitial access used **ClickFix** attacks and **IT support scams over Microsoft Teams**, with **QuickAssist** remote access preceding deployment of the **Node.js-based backdoor**.
Show sources
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
- EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts — www.infosecurity-magazine.com — 26.03.2026 17:00
- North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks — www.bleepingcomputer.com — 09.12.2025 17:43