Listen to this Post

Introduction:
The convergence of blockchain technology and cybercrime has reached a new apex with the emergence of EtherRAT, a sophisticated Node.js-based backdoor that stores its command-and-control (C2) infrastructure directly inside Ethereum smart contracts. First identified by Palo Alto Networks Unit 42 and subsequently analyzed by eSentire, Sysdig, and Malwarebytes, this malware represents a paradigm shift in evasion tactics — leveraging the immutable nature of public blockchains to create C2 infrastructure that is virtually impossible to takedown. What makes EtherRAT particularly dangerous is its delivery mechanism: attackers impersonate IT support staff over Microsoft Teams, socially engineer victims into granting remote access via QuickAssist, then deploy a multi-stage loader chain that ultimately installs a backdoor capable of executing arbitrary code, stealing cryptocurrency wallets, and exfiltrating cloud credentials. The campaign has already breached organizations across retail, finance, software, and business services sectors.
Learning Objectives:
- Understand how EtherRAT leverages the Ethereum blockchain (EtherHiding) to dynamically resolve C2 addresses and evade traditional takedown efforts
- Identify the multi-stage attack chain — from Microsoft Teams social engineering to MSI/PowerShell deployment and Node.js runtime installation
- Learn defensive strategies including blocking Windows utilities (pcalua.exe, mshta.exe), monitoring for Ethereum RPC queries, and implementing AppLocker/WDAC controls
You Should Know:
1. EtherHiding: The Blockchain-Powered C2 Evasion Technique
EtherRAT’s most technically distinctive feature is its use of “EtherHiding” — a method that stores C2 server addresses inside Ethereum smart contracts rather than hardcoding them into the malware binary. When the malware executes, it simultaneously queries nine public Ethereum RPC providers in parallel and selects the majority-response result, preventing single-1ode poisoning or sinkholing attacks. The C2 address is retrieved using the `eth_call` method against a hardcoded contract address, with the data payload consisting of the function signature 0x7d434425.
Operators can update C2 addresses by writing new data to the smart contract using a `setString` call, instantly rerouting all infected machines to fresh infrastructure without redeploying the malware. This creates a resilient C2 channel that cannot be disrupted by domain seizures or IP blocking — the blockchain itself becomes the authoritative source of truth for command infrastructure.
How to Detect EtherHiding Activity:
Windows: Monitor for Ethereum RPC queries from endpoints
Look for outbound connections to public RPC endpoints:
- cloudflare-eth.com
- mainnet.infura.io
- rpc.ankr.com
- ethereum.publicnode.com
PowerShell script to detect suspicious Node.js processes querying Ethereum RPCs
Get-Process -1ame node, nodejs -ErrorAction SilentlyContinue | ForEach-Object {
$connections = Get-1etTCPConnection -OwningProcess $<em>.Id -ErrorAction SilentlyContinue
if ($connections.RemoteAddress -match "^(104.|172.|35.)") {
Write-Warning "Potential EtherRAT C2 query from PID $($</em>.Id)"
$connections | Format-Table -AutoSize
}
}
Linux: Monitor for outbound connections to known Ethereum RPC providers
sudo lsof -i -P -1 | grep -E "cloudflare-eth|infura|ankr|ethereum.publicnode"
sudo netstat -tunap | grep -E "443|8545" | grep ESTABLISHED
2. The Microsoft Teams Social Engineering Vector
The initial access vector is alarmingly simple yet effective: attackers impersonate “System Administrators” or IT support staff over Microsoft Teams, then use the built-in QuickAssist remote assistance tool to gain unauthorized access to the victim’s machine. This method relies entirely on deceiving a human being rather than exploiting a software vulnerability — meaning even fully patched systems remain at risk. Once QuickAssist is established, the attacker manually executes a malicious ClickFix installer that triggers the infection chain.
Infection Chain Breakdown:
- Social Engineering: Victim receives Teams message from fake IT admin claiming system issues
- Remote Access: Attacker guides victim to launch QuickAssist (built-in Windows tool)
- Dropper Execution: Attacker runs a hidden `cmd.exe` that calls `pcalua.exe` (Windows Program Compatibility Assistant)
- HTA Loader: `pcalua.exe` launches `mshta.exe` against a remote HTA file hosted on a compromised domain
- Payload Deployment: The HTA script downloads and executes the EtherRAT payload
Defensive Measures:
Windows: Block pcalua.exe and mshta.exe via AppLocker or WDAC AppLocker rules can be configured via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker PowerShell: Query existing AppLocker rules Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections Windows: Disable the Windows Run dialog via Group Policy GPEdit.msc > User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu Windows: Monitor for suspicious pcalua.exe execution Enable PowerShell script block logging and track: - pcalua.exe -a <path_to_hta> - mshta.exe javascript:... (remote HTA execution)
3. MSI Loader and Node.js Runtime Deployment
EtherRAT is typically distributed via MSI installers, PowerShell scripts, or JavaScript scripts. The Malwarebytes analysis revealed an open directory distributing multiple versions (v1 through v10) of EtherRAT payloads. The MSI loader (e.g., v9.msi) contains three components:
| Component | Description |
|–|-|
| `KmPuGimn.cmd` | BAT launcher (obfuscated) |
| `cDQMlQAru0.xml` | First Jscript loader |
| `MRaQCipBIZeiZNx.log` | Encrypted EtherRAT payload |
MSI Execution Flow:
- The MSI executes `KmPuGimn.cmd` via `conhost –headless cmd /c`
2. The BAT file extracts components to a random folder in `%LOCALAPPDATA%`
3. It runs `where node` to check for existing Node.js installation - If Node.js is not found, it downloads the official Node.js runtime using `curl -sLo`
5. Extracts Node.js via `tar -xf` and renames the directory to a random name - Loops until both the encrypted payload and Jscript loader exist
7. Executes `node.exe` with the decrypted EtherRAT payload
Detection Commands:
Windows: Hunt for suspicious conhost.exe and node.exe execution chains
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {
$<em>.Properties[bash].Value -match "conhost.exe.--headless" -or
$</em>.Properties[bash].Value -match "node.exe..log"
} | Select-Object TimeCreated, @{N='CommandLine';E={$_.Properties[bash].Value}}
Windows: Check for Node.js installations in non-standard locations
Get-ChildItem -Path "$env:LOCALAPPDATA" -Recurse -Filter "node.exe" -ErrorAction SilentlyContinue |
Where-Object { $_.DirectoryName -match "[A-Za-z0-9]{6}" }
Linux: Detect Node.js processes running from hidden directories
ps aux | grep -E "node..(js|log)" | grep -v grep
find /home -type f -1ame ".js" -path "/.local/share/" -exec ls -la {} \;
4. Persistence Mechanisms and System Fingerprinting
EtherRAT establishes persistence through five independent Linux mechanisms and Windows registry Run key entries. On Windows, it adds a Run registry value under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` pointing to a chained `conhost.exe → node.exe` execution chain. The registry value uses a randomly generated 12-character hexadecimal name to avoid pattern detection.
SYS_INFO Module — Host Profiling:
Once connected to its C2 server, EtherRAT deploys a SYS_INFO module that collects detailed system information for target profiling:
- Public IP address
- CPU and GPU information
- Operating system and hardware identifiers
- Antivirus software details
- Domain and administrator status
- System language settings (checks for CIS region languages and self-destructs if detected)
Forensic Commands:
Windows: Check for suspicious Run registry entries
Get-ChildItem -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" |
ForEach-Object { Get-ItemProperty $_.PSPath } | Format-List
Windows: Check for conhost.exe headless execution patterns
Get-WinEvent -LogName "Microsoft-Windows-Kernel-Process/Operational" |
Where-Object { $_.Message -match "conhost.exe" } |
Select-Object TimeCreated, Message -First 50
Linux: Check for five persistence mechanisms
1. Cron jobs
crontab -l 2>/dev/null | grep -v "^"
2. Systemd services
systemctl list-unit-files --state=enabled | grep -E ".service"
3. .bashrc / .profile
grep -r "node" ~/.bashrc ~/.profile 2>/dev/null
4. SSH authorized_keys
cat ~/.ssh/authorized_keys 2>/dev/null
5. /etc/init.d scripts
ls -la /etc/init.d/ | grep -v "^total"
5. CDN-Like Beaconing and Traffic Evasion
To avoid raising alarms at the network level, EtherRAT disguises its outbound traffic as ordinary CDN requests. The beacon URLs it generates look like normal static file requests, complete with random hexadecimal paths, UUIDs, and file extensions such as .ico, .png, or .css. The malware polls the C2 server every 500 milliseconds for JavaScript tasking.
The malware goes a step further by sending its own source code back to the C2 server, which returns a freshly scrambled version that overwrites the original — effectively rewriting itself on the fly to stay ahead of signature-based defenses.
Network Detection Strategies:
Linux: Monitor for suspicious beaconing patterns
Look for repeated requests to domains with random paths
sudo tcpdump -i any -1 -c 1000 'tcp port 443' | grep -E ".(ico|png|css)\?[a-f0-9]{16}"
Windows: Use netsh to capture network traces
netsh trace start capture=yes provider=Microsoft-Windows-Kernel-1etwork tracefile=C:\traces\etherrat.etl
Stop after 5 minutes
netsh trace stop
SIEM Queries (KQL/Splunk): Detect CDN-like beaconing
Look for endpoints making > 100 requests/minute to the same domain with random paths
Filter for User-Agent strings associated with Node.js (e.g., "Node.js", "axios")
6. Hardcoded C2 Addresses and Open Directory Infrastructure
The Palo Alto Networks Unit 42 investigation revealed an open directory hosted by the threat actor containing multiple frequently updated versions of EtherRAT. The image shows a web browser displaying an open directory listing with several files and folders listed, with dates and sizes, including different versions of EtherRAT. Additionally, the threat actor’s Ethereum transaction contains a hardcoded C2 address within the input data field — visible on eth.blockscout.com with the decoded C2 domain name clearly displayed.
IOCs for Threat Hunting:
Based on public reporting, the following indicators have been associated with EtherRAT campaigns:
File Hashes (SHA256):
– `294c597c89023093e1e175949f5104f887b89cd8e1cf1d3192ee9032739f259e`
– `5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73`
– `2edf1ab615b489e228a89c617d24f66d1e780a6d5e30f6886608dfe79325acf8`
– `03c4e54cc775ab819752dc5d420ab2fed03bd445c3ce398d021031100b334fb4`
Domains:
– `www-flow-submission-management.shepherdsestates.uk`
– `rpc.payload.de`
– `hayesmed.com`
– `regancontrols.com`
– `jariosos.com`
IP Address:
– `185.218.19.162`
7. Mitigation and Response Playbook
Prevention:
- Block Windows Utilities: Use AppLocker or Windows Defender Application Control (WDAC) to block or tightly control `pcalua.exe` and `mshta.exe`
2. Restrict Remote Access Tools: Limit or disable QuickAssist and other remote desktop tools for non-IT staff - Network Controls: Block or alert on access to known public crypto RPC infrastructure (Infura, Alchemy, Cloudflare-ETH)
- User Training: Educate employees on IT support scams conducted over Microsoft Teams
Detection:
- Endpoint Monitoring: Deploy endpoint controls that can detect Node.js-based backdoors and monitor for abnormal beaconing patterns
- Network Monitoring: Alert on unexpected Ethereum RPC usage from endpoints that do not require it
- Process Monitoring: Track execution of `conhost.exe –headless` and `node.exe` from `%LOCALAPPDATA%`
Response (If EtherRAT Activity is Detected):
1. Isolate the endpoint immediately from the network
2. Terminate the running process (node.exe, conhost.exe)
- Remove persistence: Delete the HKCU Run registry entry and any dropped artifacts
- Full forensic sweep: Confirm no additional payloads were staged
- Rotate exposed credentials: Prioritize cryptocurrency wallet secrets and cloud service keys
- Expand hunting: Search across the environment for similar Ethereum-RPC lookups and CDN-like polling behavior
What Undercode Say:
- Key Takeaway 1: EtherRAT represents a fundamental shift in malware C2 infrastructure — the use of public blockchains makes takedown efforts nearly impossible. Traditional domain seizures and IP blocking are ineffective against a threat that retrieves its C2 address from an immutable, decentralized ledger. Defenders must shift their focus to detection and prevention at the endpoint and network levels rather than relying on infrastructure takedowns.
-
Key Takeaway 2: The human element remains the weakest link. The Microsoft Teams social engineering vector exploits trust and familiarity with corporate communication tools. Even organizations with perfect patch management and advanced endpoint protection remain vulnerable because the initial access requires no exploitation — just a convincing impersonation and a victim willing to grant remote access. Security awareness training must specifically address IT support impersonation scenarios.
Analysis: The EtherRAT campaign is particularly concerning because it combines three distinct evasion techniques that, when used together, create a formidable defensive challenge. First, the blockchain-based C2 resolution (EtherHiding) provides infrastructure resilience that cannot be disrupted by law enforcement or security vendors. Second, the CDN-like beaconing makes network detection extremely difficult — the traffic blends in with legitimate content delivery requests. Third, the self-modifying code and on-the-fly payload rewriting defeat signature-based detection. This triple-threat approach suggests the attackers are highly sophisticated, likely state-sponsored (North Korean APT, based on overlaps with Contagious Interview campaigns). The open directory containing multiple versions of EtherRAT indicates an active, ongoing operation with continuous development and refinement. Organizations in retail, finance, and technology sectors should treat this as a high-priority threat and implement the defensive measures outlined above immediately. The fact that the malware self-destructs if CIS region languages are detected further supports the attribution to North Korean threat actors, who typically avoid targeting Russian-speaking victims.
Prediction:
-P Blockchain-based C2 will become the new standard for advanced persistent threats. The success of EtherHiding will inspire copycat malware families and more sophisticated implementations using alternative blockchains (Solana, Avalanche, etc.). Expect to see a surge in blockchain-based C2 techniques over the next 12-18 months, making takedown efforts increasingly ineffective.
-P Microsoft Teams and other collaboration platforms will become primary attack vectors. The success of IT support impersonation campaigns will drive threat actors to expand their social engineering efforts across Slack, Zoom, and Google Chat. Organizations will need to implement stricter controls on remote assistance tools and user training.
-1 Small and medium-sized businesses will be disproportionately affected. While enterprise organizations have the resources to implement AppLocker, network monitoring, and security awareness training, SMBs typically lack these capabilities. The low-cost, high-return nature of Teams-based social engineering will make SMBs prime targets.
-P Blockchain analytics and threat intelligence will evolve to counter this threat. Security vendors will develop new detection capabilities specifically designed to monitor for Ethereum RPC queries and smart contract interactions. We will likely see the emergence of “blockchain threat intelligence” feeds that track malicious smart contracts used for C2 purposes.
-1 The React2Shell (CVE-2025-55182) exploitation vector will continue to be weaponized. EtherRAT has already been observed in React2Shell attacks, and this critical vulnerability will remain a primary entry point for nation-state actors targeting cloud environments running React/Next.js applications. Organizations must prioritize patching and monitoring for this vulnerability.
▶️ Related Video (68% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Phishing Etherrat – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


