Researchers at Malwarebytes have uncovered a stealthy remote access trojan that pulls the address of its command server straight from the Ethereum blockchain, a trick that makes the attacker's infrastructure far harder for defenders to take down. The malware, named EtherRAT, was found being handed out by a sprawling web of malicious sites that also push phishing pages, booby-trapped documents, and fake remote-control software.
A remote access trojan, or RAT, is malware that hands an attacker full control of an infected machine. EtherRAT is written in Node.js and is small by design: it mostly runs whatever JavaScript its operator sends back, letting the attacker steal files, change the Windows registry, and exfiltrate data on demand.
Why the blockchain twist matters
Most malware hard-codes its command-and-control (C2) address or hides it behind a handful of domains that can be seized or sinkholed. EtherRAT instead reads the live C2 address from a smart contract on the Ethereum mainnet using the standard eth_call method, reaching it through legitimate public blockchain gateways. Because the lookup rides on Ethereum's own infrastructure, there is no single domain for defenders to pull, and the operator can quietly repoint victims by updating the contract.
The sample Malwarebytes analyzed read its C2 pointer from contract 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58 and queried public nodes such as eth[.]drpc[.]org and ethereum-rpc[.]publicnode[.]com to resolve it.
How the attack works
Victims are typically lured through phishing emails carrying PDF or Excel attachments that ask the recipient to click through to a document. Those links lead into the wider network, where MSI installers and PowerShell scripts (named v1 through v10 in an open directory) kick off the infection. The MSI loader drops an obfuscated batch file that quietly downloads a legitimate copy of Node.js, sets up persistence through a registry key, and decrypts the EtherRAT payload in stages.
One of EtherRAT's nastier features is self-mutation: after it starts, it sends its own source code to the C2, which returns a freshly obfuscated copy that is written back to disk. Every run therefore produces a new file hash, frustrating signature-based detection.
A shared, bulletproof network
Following the EtherRAT trail led the researchers to a much larger setup. The same IP addresses have, over time, served phishing pages on Teams- and SharePoint-themed redirect paths, "URL cloaker" redirect pages, and pages advertising a "bulletproof" hosting service. Misconfigured servers even exposed parts of the phishing kit source code. The infrastructure looks shared, with multiple threat actors switching different URL endpoints on and off per campaign, a pattern IntelFusions has seen before in malicious networks that hijack software downloads to spread stealers. The Node.js approach also echoes other recent commodity RATs such as the Argamal RAT spread through trojanized games.
What you should do
There is no patch to apply here, this is a malware and phishing operation rather than a software flaw, so detection and user awareness are the defenses. Treat unexpected emails that push you to "view a document" with suspicion, block the indicators below, and watch for Node.js being downloaded and run from user profile folders (%LOCALAPPDATA%) by an unattended script, which is unusual on most endpoints.
Selected indicators of compromise
- Distribution domains: ivorilla[.]cloud, dorqen[.]casa, kelvra[.]club
- C2 domains: cambioefectivo[.]com, tranzed[.]org, kibrisarazi[.]com
- Infrastructure IPs: 82[.]165[.]65[.]244, 185[.]221[.]216[.]121, 159[.]89[.]227[.]204
- Ethereum C2 contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58
Full technical details and the complete indicator list are in the original report from the Malwarebytes threat intelligence team.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.