EtherRAT Campaign Linked to Shared Infrastructure Hosting Phishing Kits and Malware
Researchers uncovered a malicious infrastructure distributing EtherRAT, a Node.js remote access trojan delivered through exposed open directories alongside phishing pages, malicious documents, remote desktop software, and other malware. EtherRAT can execute arbitrary JavaScript received from its command-and-control servers and uses the Ethereum blockchain to retrieve active C2 information, a design that helps the operators maintain access even if parts of the infrastructure are taken down.
Analysis of the MSI and PowerShell delivery chains showed the malware installing or reusing Node.js, decrypting staged payloads, establishing persistence, and launching the final RAT via conhost.exe. Investigators also observed post-compromise reconnaissance activity and found misconfigured directories exposing phishing kit components, themed landing pages, and URL cloaker source code, indicating the same ecosystem was supporting both credential phishing and malware delivery, potentially for multiple actors or campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Misconfigurations expose phishing kits and URL cloaker code
Researchers observed open directories and other misconfigurations that exposed phishing kit components and URL cloaker source code tied to the same ecosystem. These findings linked the infrastructure to credential phishing operations and suggested a shared or multi-actor criminal platform supporting multiple campaigns.
Researchers document MSI and PowerShell EtherRAT delivery chains
Analysis of the malware delivery chains showed MSI and PowerShell installers that install or reuse Node.js, decrypt staged payloads, establish persistence, and launch the final RAT through conhost.exe. One source also noted observed post-compromise reconnaissance commands.
Analysis reveals EtherRAT's blockchain-backed C2 mechanism
Researchers determined that EtherRAT is a Node.js remote access trojan capable of executing arbitrary JavaScript from its command-and-control server. They also found it uses the Ethereum blockchain to retrieve active C2 infrastructure, which increases resilience against takedowns.
Researchers identify EtherRAT distribution via open directory
Threat researchers found EtherRAT being distributed through an open directory and linked it to a broader malicious infrastructure. The same infrastructure was observed hosting malware, phishing pages, malicious documents, and remote desktop software.
Researchers report EtherRAT spread via GitHub facades spoofing admin tools
Atos reported EtherRAT being distributed through GitHub facades that spoof administrative tools, indicating an additional lure and delivery method beyond the open-directory exposure already documented. This expands the known distribution tactics associated with the malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Inside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceInside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software | Malwarebytes
malwarebytes.com
Open sourceEtherRAT Distribution Spoofing Administrative Tools via GitHub Facades - Atos
atos.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spoofed GitHub IT Tools Spread EtherRAT via Ethereum-Based C2
Researchers reported a stealthy malware campaign targeting enterprise administrators, DevOps engineers, and security analysts by impersonating trusted administrative and developer utilities in malicious MSI installers. The operation used SEO poisoning to push victims toward spoofed tool listings and a dual-stage GitHub distribution chain in which benign-looking facade repositories redirected users to secondary repositories hosting the real payload, enabling operators to rotate malware quickly while preserving search credibility. At least 44 GitHub facade repositories spoofing IT tools were observed between December 2025 and early April 2026. The payload, **EtherRAT**, is a multi-stage Node.js remote access trojan that downloads Node.js at runtime, establishes registry-based persistence, and executes through `conhost.exe` with a `--headless` argument to reduce visibility. Researchers said the malware uses layered `AES-256-CBC` encryption and retrieves its live command-and-control endpoint through public Ethereum RPC services and a hardcoded smart contract, effectively using the blockchain as a dead-drop resolver that complicates domain and IP takedowns. Reporting linked the campaign to prior EtherRAT and EtherHiding activity and said the tradecraft overlaps with malware previously associated with **Lazarus Group**, while also noting code similarities to **Tsundere**, a malware family tied in other research to **MuddyWater (APT34)**.
May 11, 2026
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026
React2Shell Exploitation Delivers EtherRAT via Blockchain C2
Threat actors have begun exploiting the recently disclosed React2Shell vulnerability in React Server Components (RSC), tracked as CVE-2025-55182, to deploy a novel remote access trojan named EtherRAT. The Sysdig Threat Research Team first documented EtherRAT in active attacks against Next.js applications, noting its use of Ethereum blockchain-based command and control (C2) infrastructure. EtherRAT operates as a fileless malware, running payloads via Node.js without writing to disk, and features modules for system reconnaissance, credential harvesting, worm-like propagation, web server hijacking, and SSH backdoor installation. The malware’s blockchain C2 mechanism provides both operational stealth and a forensic trail, as all infrastructure changes are permanently recorded on Ethereum. Attribution remains uncertain, but North Korean-linked actors are suspected, with the campaign excluding targets in Commonwealth of Independent States (CIS) countries. Security briefings confirm that EtherRAT leverages five independent Linux persistence mechanisms and downloads its own Node.js runtime from nodejs.org, further complicating detection and remediation. The campaign marks the first public documentation of React2Shell being used for more than cryptomining, representing a significant escalation in post-exploitation capabilities. Defenders are advised to monitor for React2Shell exploitation, review blockchain activity for C2 indicators, and implement robust credential and endpoint protections to mitigate the risk posed by EtherRAT and similar fileless threats.
Mar 21, 2026