ETHERRAT is a malware campaign that uses Ethereum smart contracts to hide its command-and-control (C2) infrastructure, a technique known as EtherHiding. According to a new advisory published by eSentire on 25 March 2026, the activity was observed during a March 2026 incident response in the retail sector, where adversaries deployed a Node[.]js-based backdoor after gaining initial access.
Investigators noted that the malware can execute commands remotely, collect extensive system data and steal cryptocurrency wallets and cloud credentials, with C2 addresses retrieved from Ethereum blockchain smart contracts via public RPC providers. The infection chain began with ClickFix attacks and IT support scams over Microsoft Teams, followed by QuickAssist remote access, before EtherRAT deployed and established persistence through Windows registry keys.
Once connected, the malware collected detailed target information such as public IP address, CPU/GPU information, OS and hardware identifiers, antivirus details and domain/admin status, and even checked system language settings to delete itself if certain CIS languages were detected.