EtherRAT Malware Hides Using Ethereum Blockchain

EtherRAT Malware Hides Using Ethereum Blockchain

Posted on By CWS

An advanced form of malware called EtherRAT is targeting organizations across various sectors by embedding its command infrastructure within the Ethereum blockchain. This strategy complicates tracking and dismantling the malware, making it particularly elusive.

Malware’s Capabilities and Origin

Operating on Node.js, EtherRAT allows attackers to remotely control infected systems, facilitating activities such as executing commands, stealing cryptocurrency wallets, and obtaining cloud credentials with minimal detection. Sysdig has linked EtherRAT to a North Korean APT group, citing substantial similarities with a known pattern of attacks known as ‘Contagious Interview,’ where perpetrators pose as recruiters to distribute malware.

Utilizing EtherHiding Technique

EtherRAT employs a method known as EtherHiding to manage its command-and-control (C2) address, embedding it within an Ethereum smart contract. This storage method is resistant to external tampering, allowing attackers to change servers by simply updating the contract with a new address. This feature also lets threat actors redirect previously compromised systems to new C2 infrastructure, maintaining control with minimal costs.

Detection and Techniques Used

eSentire analysts identified EtherRAT in March 2026 after it was found in the environment of a retail industry client. Researchers noted significant code similarities between EtherRAT and the Tsundere botnet, both of which perform OS fingerprinting and self-destruct if the target machine uses a language from the CIS region.

The initial system access varies, but two primary methods have been observed. In one case, attackers used a method dubbed ClickFix, which leverages the Windows component pcalua.exe to execute malicious scripts. Another common tactic involves posing as IT support over Microsoft Teams and using QuickAssist to gain unauthorized access. Both approaches rely on deceiving individuals rather than exploiting software vulnerabilities, posing risks even to fully updated systems.

Defensive Measures and Recommendations

The same smart contract address associated with EtherRAT has been found in multiple cases across sectors like retail, finance, and software, indicating a coordinated attack effort. To combat this, security experts suggest disabling mshta.exe and pcalua.exe through AppLocker or WDAC, restricting the Run prompt via Group Policy, and enhancing employee awareness regarding IT support scams and ClickFix scenarios.

Blocking access to cryptocurrency RPC providers can prevent EtherHiding-based C2 communication. Implementing Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR) solutions is crucial for identifying and mitigating infections swiftly.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Hackers Target Developers with Fake Job Interviews Hackers Target Developers with Fake Job Interviews Cyber Security News
China-Linked Group Targets Exchange Servers with Malware China-Linked Group Targets Exchange Servers with Malware Cyber Security News
LeakNet Ramps Up Ransomware Attacks with New Techniques LeakNet Ramps Up Ransomware Attacks with New Techniques Cyber Security News
Microsoft’s February 2026 Update Fixes 54 Vulnerabilities Microsoft’s February 2026 Update Fixes 54 Vulnerabilities Cyber Security News
Chinese APT Group IT Service Provider Leveraging Microsoft Console Debugger to Exfiltrate Data Chinese APT Group IT Service Provider Leveraging Microsoft Console Debugger to Exfiltrate Data Cyber Security News
Hackers Exploit Microsoft Teams in Sophisticated Attack Hackers Exploit Microsoft Teams in Sophisticated Attack Cyber Security News