EtherRAT Malware Hides C2 Infrastructure Inside Ethereum Smart Contracts
Researchers at eSentire have uncovered a new EtherRAT campaign that uses Ethereum smart contracts to store command-and-control addresses, enabling stealthy, low-cost infrastructure rotation.
A novel malware campaign dubbed EtherRAT is leveraging Ethereum smart contracts to conceal its command-and-control (C2) infrastructure, according to a March 25 advisory from eSentire. The Node.js-based backdoor was discovered during a March 2026 incident response investigation in the retail sector, where attackers deployed it after gaining initial access through ClickFix attacks and IT support scams conducted over Microsoft Teams.
The most notable aspect of EtherRAT is its use of a technique called EtherHiding, which stores C2 addresses inside Ethereum smart contracts. This allows operators to rotate infrastructure cheaply and avoid traditional takedown efforts, as the blockchain-based addresses are immutable and decentralized. The malware retrieves C2 addresses from Ethereum smart contracts via public RPC providers, then communicates with the server using traffic designed to resemble normal content delivery network requests, blending into legitimate network activity.
Once installed, EtherRAT enables attackers to execute commands remotely, collect extensive system data, and steal cryptocurrency wallets and cloud credentials. The malware also checks system language settings and deletes itself if certain CIS (Commonwealth of Independent States) region languages are detected, indicating a targeted approach. Persistence is established through Windows registry keys, and the infection chain involves multiple stages, including encrypted payloads and obfuscated scripts.
eSentire noted that attackers can update C2 addresses by writing new data to the smart contract, allowing previously infected machines to reconnect to new servers with minimal cost. This flexibility makes the infrastructure highly resilient to takedown efforts, as traditional IP-based blocking becomes ineffective. The researchers observed that the malware deployed a module for detailed system fingerprinting, collecting public IP, CPU/GPU information, OS and hardware identifiers, antivirus software details, and domain/administrator status.
The advisory recommends that organizations disable certain Windows utilities, train employees to recognize IT support scams, and consider blocking cryptocurrency RPC providers commonly used by attackers. The use of blockchain for C2 hiding represents a significant evolution in malware infrastructure, as it leverages the same decentralized properties that make cryptocurrencies attractive to both legitimate users and cybercriminals.
This campaign underscores the growing sophistication of threat actors who are adopting novel techniques to evade detection. By embedding C2 addresses in smart contracts, EtherRAT operators can maintain persistent access even if their servers are taken down, simply by updating the contract. As blockchain technology becomes more integrated into mainstream applications, security teams must adapt their defenses to account for these new attack vectors.