Hackers Use EtherRAT and EtherHiding to Hide Malware Infrastructure on Ethereum

Home Cyber Security News Hackers Use EtherRAT and EtherHiding to Hide Malware Infrastructure on Ethereum A sophisticated backdoor called EtherRAT is actively targeting organizations across multiple sectors by hiding its command infrastructure inside the Ethereum blockchain — a move that makes it uniquely hard to track and shut down. The malware runs on Node.js and gives attackers full remote control over compromised machines, enabling them to execute commands, steal cryptocurrency wallets, and siphon cloud credentials with minimal noise. EtherRAT has been tied by Sysdig to a North Korean APT group through significant overlaps with “Contagious Interview” — a known campaign pattern in which threat actors impersonate recruiters and tech support staff to deliver malware. The malware employs a technique called EtherHiding to retrieve its command-and-control (C2) address, storing it directly inside an Ethereum smart contract on the blockchain. Since the blockchain cannot be altered or removed by any external authority, the attackers can switch servers anytime by simply updating the contract with a new address. Threat actors can also redirect older infected machines to fresh C2 infrastructure by updating the contract, reasserting control at a minimal cryptocurrency cost. eSentire analysts identified EtherRAT in March 2026 after detecting it inside a retail industry customer’s environment. Researchers noted strong code overlaps between EtherRAT and Tsundere, a Malware-as-a-Service botnet, with both tools performing OS fingerprinting and checking whether a victim’s machine uses a CIS-region language — automatically destroying themselves if they find one, to avoid targeting certain countries. Initial access into victim systems varies, but TRU has observed two main approaches. In the specific incident they investigated, the attackers used a technique called ClickFix, which leverages indirect command execution through the Windows component pcalua.exe to silently fetch and run a malicious HTA script from a compromised website. In most other observed cases, the attackers posed as IT support staff over Microsoft Teams, then used the remote assistance tool QuickAssist to gain unauthorized access to the victim’s machine. Both methods depend on deceiving a real person rather than exploiting a software flaw, which means even fully patched systems remain at risk. The same Ethereum smart contract address appeared across multiple eSentire customer cases, with targets spanning retail, finance, software, and business services sectors. This points to a well-organized, multi-industry campaign that continues to grow — not an isolated incident. How EtherHiding Powers Persistent C2 Communication EtherRAT’s most technically distinct feature is the EtherHiding mechanism that keeps its C2 connections alive even when defenders try to cut them off. When the malware launches, it simultaneously queries several public Ethereum RPC providers and picks the most consistent result as its active C2 address. Retrieve C2 via EtherHiding (Source – Esentire) Operators can push new server addresses directly to the smart contract using a setString call, instantly rerouting all infected machines to fresh infrastructure without needing to redeploy the malware itself. To avoid raising alarms at the network level, EtherRAT disguises its outbound traffic as ordinary CDN requests. The beacon URLs it generates look like normal static file requests, complete with random hexadecimal paths, UUIDs, and file extensions such as .ico, .png, or .css.  Beacon via CDN-like URL (Source – Esentire) The malware goes a step further by sending its own source code back to the C2 server, which returns a freshly scrambled version that overwrites the original, keeping it one step ahead of signature-based defenses. Persistence is secured through a Windows registry Run key entry. The entry uses a randomly generated 12-character hexadecimal name to avoid pattern detection, and the malware executes silently through conhost.exe in headless mode. Persist EtherRAT via HKCU Run key (Source – Esentire) TRU advises disabling mshta.exe and pcalua.exe via AppLocker or Windows Defender Application Control (WDAC). The Run prompt should be restricted through Group Policy, and employees should receive awareness training focused on IT support scams and ClickFix scenarios. Blocking corporate access to cryptocurrency RPC providers cuts off EtherHiding-based C2 communication before it is established. Deploying a Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR) solution remains essential for detecting and containing infections quickly. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Push CrystalX Malware-as-a-Service Through Telegram With Stealer and RAT Features Cyber Security News Hackers Hijack Hotel Booking Workflows to Scam Guests With Fake Payment Requests Cyber Security Cisco Source Code and Data Leak Allegedly Claimed by ShinyHunters Top 10 12 Best AWS Monitoring Tools in 2026 March 30, 2026 10 Best Spam Filter Tools 2026 March 30, 2026 10 Best Log Monitoring Tools in 2026 March 30, 2026 10 Best Fraud Detection Tools in 2026 March 30, 2026 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026