Researchers Uncover Sprawling Infrastructure Distributing EtherRAT Malware via Open Directories

Vast Malicious Infrastructure Found Delivering EtherRAT and Phishing Kits

MEDIUM
June 16, 2026
2m read
MalwareThreat IntelligencePhishing

Related Entities

Organizations

Malwarebytes

Products & Tech

Node.jsEthereum PowerShell

Other

EtherRAT

MITRE ATT&CK Techniques

T1102.002

Bidirectional Communication

T1204.002

Malicious File

T1059.001

PowerShell

T1071

Application Layer Protocol

Full Report

Executive Summary

Security researchers from Malwarebytes have uncovered a vast and active malicious infrastructure dedicated to distributing a variety of threats. The centerpiece of this operation is EtherRAT, a remote access trojan (RAT) written in Node.js. The malware is notable for its novel command-and-control (C2) mechanism, which leverages the Ethereum blockchain to dynamically retrieve its C2 server address. The infrastructure also hosts numerous phishing kits and other malware, distributed through a network of websites featuring open directories.

Threat Overview

The investigation began from a single open directory hosting MSI installers and PowerShell scripts, which led researchers down a rabbit hole to a sprawling network of malicious sites. The operation appears focused on widespread, opportunistic infections rather than targeted attacks.

  • Malware: EtherRAT
  • Type: Remote Access Trojan (RAT)
  • Language: Node.js
  • Key Feature: Uses the Ethereum blockchain for C2 server discovery.
  • Distribution: Open directories, malicious installers, phishing.

Technical Analysis

EtherRAT itself is a potent RAT that, once installed, provides the attacker with full control over the compromised machine.

  1. Distribution: Victims are likely lured into downloading malicious MSI installers from the web, possibly through malvertising or SEO poisoning. These installers contain PowerShell scripts to fetch and execute the main payload.
  2. Execution (T1204.002 - Malicious File): The initial installer or script executes, leading to the installation of the Node.js-based EtherRAT.
  3. C2 Discovery via Blockchain (T1102.002 - Bidirectional Communication): This is the malware's most unique feature. Instead of having a hardcoded C2 address, EtherRAT queries a specific address or smart contract on the Ethereum blockchain. The attacker can update the transaction data at this address to point the malware to a new C2 server. This makes the malware highly resilient, as takedowns of individual C2 servers are trivial to recover from—the attacker simply updates the blockchain record.
  4. Command and Control: Once the C2 address is retrieved, EtherRAT connects to the server and awaits commands, allowing the attacker to execute arbitrary code, steal files, log keystrokes, and perform other malicious actions (T1071 - Application Layer Protocol).

The broader infrastructure discovered by researchers included misconfigured backend servers that exposed the attackers' tools, including a repository of phishing kits and the source code for a

Timeline of Events

1
June 16, 2026
This article was published

MITRE ATT&CK Mitigations

Filter Network Traffic

M1037enterprise

Block or alert on outbound connections to known cryptocurrency blockchain APIs from endpoints that have no legitimate reason to access them.

Execution Prevention

M1038enterprise

Use application control to prevent the execution of unauthorized interpreters like Node.js or scripts like PowerShell on standard user workstations.

User Training

M1017enterprise

Train users to be cautious about downloading and running software from untrusted sources.

Sources & References

Inside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software | Malwarebytes
Malwarebytes (malwarebytes.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

EtherRATMalwareRATBlockchainEthereumC2Node.jsPhishing

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.