A new EtherRAT malware campaign using Ethereum smart contracts to hide command-and-control (C2) infrastructure has been identified by researchers.
According to a new advisory published by eSentire on March 25, the activity was observed during a March 2026 incident response investigation in the retail sector, where adversaries deployed a Node.js‑based backdoor after gaining initial access.
The researchers found the malware enables attackers to execute commands remotely, collect extensive system data and steal cryptocurrency wallets and cloud credentials.
The most notable development is the use of a technique known as EtherHiding, which stores C2 addresses inside Ethereum smart contracts, allowing operators to rotate infrastructure cheaply and avoid traditional takedown efforts.
Ethereum Smart Contracts Used For Command Infrastructure
Investigators observed several methods used to gain initial access, including ClickFix attacks and IT support scams conducted over Microsoft Teams, followed by QuickAssist remote access.
In the ClickFix case, attackers used indirect command execution to launch a malicious script through Windows utilities, bypassing security restrictions.
The infection chain involved multiple stages, including encrypted payloads and obfuscated scripts that ultimately deployed EtherRAT and established persistence through Windows registry keys.
Once installed, EtherRAT retrieved C2 addresses from Ethereum blockchain smart contracts via public RPC providers. The malware then communicated with the server using traffic designed to resemble normal content delivery network requests, helping it blend into legitimate network activity.
Read more on Ethereum smart contracts and malware infrastructure: Malicious npm Packages Exploit Ethereum Smart Contracts
eSentire said attackers could update C2 addresses by writing new data to the smart contract, allowing previously infected machines to reconnect to new servers with minimal cost.
System Fingerprinting and Data Collection
After connecting to its command server, the malware deployed a module that collected detailed system information used for target profiling. This includes:
-
Public IP address
-
CPU and GPU information
-
Operating system and hardware identifiers
-
Antivirus software details
-
Domain and administrator status
The malware also checked system language settings and deleted itself if certain CIS (Commonwealth of Independent States) region languages were detected.
The report concluded that organizations should disable certain Windows utilities, train employees to recognize IT support scams and consider blocking cryptocurrency RPC providers commonly used by attackers.
