{"id":4977,"date":"2026-03-26T16:36:48","date_gmt":"2026-03-26T16:36:48","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/03\/26\/etherrat-techniques-bypass-security-via-ethereum-smart-contracts\/"},"modified":"2026-03-26T16:36:48","modified_gmt":"2026-03-26T16:36:48","slug":"etherrat-techniques-bypass-security-via-ethereum-smart-contracts","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/26\/etherrat-techniques-bypass-security-via-ethereum-smart-contracts\/","title":{"rendered":"EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new EtherRAT malware campaign using Ethereum smart contracts to hide command-and-control (C2) infrastructure has been identified by researchers.<\/p>\n<p>According to a new advisory published by eSentire on March 25, the activity was observed during a March 2026 incident response investigation in the retail sector, where adversaries deployed a Node.js\u2011based backdoor after gaining initial access.<\/p>\n<p>The researchers found the malware enables attackers to execute commands remotely, collect extensive system data and steal cryptocurrency wallets and cloud credentials.<\/p>\n<p>The most notable development is the use of a technique known as EtherHiding, which stores C2 addresses inside Ethereum smart contracts, allowing operators to rotate infrastructure cheaply and avoid traditional takedown efforts.<\/p>\n<h2><strong>Ethereum Smart Contracts Used For Command Infrastructure<\/strong><\/h2>\n<p>Investigators observed several methods used to gain initial access, including ClickFix attacks and IT support scams conducted over Microsoft Teams, followed by QuickAssist remote access.<\/p>\n<p>In the ClickFix case, attackers used indirect command execution to launch a malicious script through Windows utilities, bypassing security restrictions.<\/p>\n<p>The infection chain involved multiple stages, including encrypted payloads and obfuscated scripts that ultimately deployed EtherRAT and established persistence through Windows registry keys.<\/p>\n<p>Once installed, EtherRAT retrieved\u00a0C2 addresses from Ethereum blockchain smart contracts via public RPC providers. The malware then communicated\u00a0with the server using traffic designed to resemble normal content delivery network requests, helping it blend into legitimate network activity.<\/p>\n<p><em>Read more on Ethereum smart contracts and malware infrastructure: Malicious npm Packages Exploit Ethereum Smart Contracts<\/em><\/p>\n<p>eSentire said attackers could update C2 addresses by writing new data to the smart contract, allowing previously infected machines to reconnect to new servers with minimal cost.<\/p>\n<h2><strong>System Fingerprinting and Data Collection<\/strong><\/h2>\n<p>After connecting to its command server, the malware deployed\u00a0a module that collected\u00a0detailed system information used for target profiling. This includes:<\/p>\n<ul>\n<li>\n<p>Public IP address<\/p>\n<\/li>\n<li>\n<p>CPU and GPU information<\/p>\n<\/li>\n<li>\n<p>Operating system and hardware identifiers<\/p>\n<\/li>\n<li>\n<p>Antivirus software details<\/p>\n<\/li>\n<li>\n<p>Domain and administrator status<\/p>\n<\/li>\n<\/ul>\n<p>The malware also checked\u00a0system language settings and deleted\u00a0itself if certain CIS (Commonwealth of Independent States) region languages were detected.<\/p>\n<p>The report concluded\u00a0that organizations should disable certain Windows utilities, train employees to recognize IT support scams and consider blocking cryptocurrency RPC providers commonly used by attackers.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new EtherRAT malware campaign using Ethereum smart contracts to hide command-and-control (C2) infrastructure has been identified by researchers. According to a new advisory published by eSentire on March 25, the activity was observed during a March 2026 incident response investigation in the retail sector, where adversaries deployed a Node.js\u2011based backdoor after gaining initial access.<\/p>\n","protected":false},"author":2,"featured_media":4978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4977","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4977-ca6e469b-33c8-4162-b461-a9f3071d3d2e-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4977"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4977\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4978"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}