New EtherRAT Malware Campaign Utilizes Ethereum Smart Contracts for Command-and-Control Infrastructure
In an alarming development within the cybersecurity landscape, researchers have identified a new malware campaign, known as EtherRAT, that utilizes Ethereum smart contracts to obscure its command-and-control (C2) infrastructure. This revelation was reported in a recent advisory published by eSentire on March 25, 2026. The campaign was uncovered during an incident response investigation primarily focused on the retail sector, where malicious actors exploited vulnerabilities to deploy a Node.js-based backdoor after successfully gaining initial access to targeted systems.
The research findings reveal a sophisticated approach taken by the attackers, who leverage this unique malware to execute remote commands, gather extensive system data, and steal sensitive information, such as cryptocurrency wallets and cloud credentials. Distinctively, EtherRAT employs a notable technique termed EtherHiding. This innovative method enables the malware operators to store C2 addresses within Ethereum smart contracts, thereby facilitating a cost-effective means of rotating their infrastructure while evading traditional takedown efforts by law enforcement and cybersecurity defenders.
Ethereum Smart Contracts: The Backbone of C2 Infrastructure
Investigations conducted by the cybersecurity experts unveiled several strategies utilized by the adversaries to establish initial access. Among these tactics were ClickFix attacks along with IT support scams carried out over Microsoft Teams, followed by the use of QuickAssist remote access applications. In instances involving ClickFix, the attackers executed commands indirectly, leveraging Windows utilities to launch malicious scripts that successfully bypassed security restrictions.
The complete infection process comprised multiple stages, including encrypted payloads and obfuscated scripts. This sequence ultimately led to the deployment of EtherRAT and established a persistent foothold within the compromised systems by making modifications to Windows registry keys. Once the malware was installed, it executed a series of actions to retrieve command-and-control addresses directly from Ethereum blockchain smart contracts via public remote procedure call (RPC) providers. This communication was designed to mimic ordinary content delivery network requests, intelligently blending into legitimate network activity and thereby greatly enhancing its chances of remaining undetected.
According to eSentire, the attackers have the capability to update C2 addresses by simply writing new data into the smart contracts. This feature allows previously infected machines to reconnect to newly established servers with minimal effort and cost, posing an ongoing risk to affected organizations.
System Fingerprinting and Data Collection Protocols
Upon successfully establishing a connection to its command server, EtherRAT proceeds to deploy a module dedicated to collecting in-depth system information, which is crucial for target profiling. The data harvested by the malware includes:
- Public IP address
- CPU and GPU specifications
- Operating system and hardware identifiers
- Details regarding antivirus software
- Domain and administrator status
Additionally, the malware performs checks on the language settings of the system. Notably, if it detects language settings associated with certain Commonwealth of Independent States (CIS) regions, it will self-delete, demonstrating a calculated approach to avoid detection and subsequent analysis.
The findings have prompted eSentire to advise organizations on necessary countermeasures. The report emphasizes the importance of disabling specific Windows utilities that could facilitate such attacks. It further recommends implementing training for employees to recognize and respond appropriately to IT support scams. Companies are also encouraged to consider the prospect of blocking cryptocurrency RPC providers that are often exploited by attackers in their cyber operations.
Conclusion
The emergence of the EtherRAT malware campaign, employing Ethereum smart contracts for its command-and-control infrastructure, highlights the evolving nature of cyber threats. As adversaries become increasingly innovative in their methods of attack, organizations must remain vigilant and proactive in their cybersecurity efforts. The incorporation of advanced techniques such as EtherHiding marks a significant shift in the landscape of malware operations, necessitating a reevaluation of existing security measures to effectively combat these sophisticated threats. Through increased awareness and the implementation of preventive strategies, organizations can better protect themselves against the growing risk posed by such advanced malware campaigns.