EtherRAT: DPRK-Linked Vishing Campaign Abuses Microsoft Teams and Ethereum Smart Contracts to Deliver Blockchain-Resilient Node.js RAT — Threadlinqs Intelligence
Threat ID: TL-2026-1191 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: DPRK-linked (Lazarus Group · North Korea · ESPIONAGE
Attackers impersonate IT helpdesk staff via 'Employee Survey' phishing emails followed by unsolicited external Microsoft Teams voice calls, socially engineering victims into installing legitimate
EtherRAT is a cross-platform (Windows/Linux/macOS) remote access trojan written entirely in Node.js, first identified by Palo Alto Networks Unit 42 and further profiled by Sysdig, Malwarebytes, and eSentire between April and July 2026. The malware's defining innovation is EtherHiding: rather than embedding a hardcoded C2 domain or IP, EtherRAT queries a public Ethereum smart contract through nine independent public RPC providers (e.g., eth.llamarpc.com, rpc.flashbots.net, ethereum-rpc.publicnode.com, eth.drpc.org, eth.merkle.io) in parallel and adopts the majority-consensus response as its live C2 address. Operators rotate infrastructure by issuing a new blockchain transaction to the contract at negligible cost, making conventional domain/IP takedown largely ineffective against the campaign's resilience.
In the July 2026 wave documented by Unit 42/The Register/BleepingComputer, initial access begins with a phishing email using an 'Employee Survey' lure containing a malicious PDF attachment. Shortly after the victim opens the document, an external Microsoft Teams account (observed as helpdesk@Progressive936.onmicrosoft[.]com) initiates an unsolicited voice call impersonating a 'System Administrator' from internal IT. Despite Teams displaying an 'External unfamiliar' label on the caller, victims are frequently convinced to grant remote control via Teams' built-in screen-sharing/control feature. The caller then walks the victim through installing legitimate remote-management software (HopToDesk and/or AnyDesk) as a persistence and access bridge, and subsequently directs the victim to download and execute a malicious MSI installer (observed as v7.msi, part of a versioned family v1-v10) staged at camorreado[.]click. The MSI acts purely as a loader: it silently fetches a legitimate, unmodified Node.js v20.10.0 runtime from nodejs.org, drops an AES-256-CBC-encrypted payload plus an obfuscated JavaScript dropper, decrypts the payload in memory, and launches EtherRAT under the legitimate Node.js interpreter, evading binary-signature-based detection.
A related, earlier distribution vector (documented by The Hacker News, active December 2025-April 2026) used 44 separate GitHub 'facade' repositories, each SEO-optimized to rank for and impersonate a specific high-privilege Windows administrative/developer tool (PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer, WinDbg, etc.), deliberately targeting administrators and high-privilege accounts rather than standard users. A hidden link in each facade repo redirected to a secondary repository hosting the actual malicious MSI. This variant of the loader follows a four-stage architecture: Stage 0 batch-script dropper, Stage 1 in-memory decryption loader, Stage 2 registry Run-key persistence, Stage 3 full RAT with CDN-mimicking beacon traffic.
Once running, EtherRAT first executes a SYS_INFO reconnaissance module that performs comprehensive host fingerprinting (public IP via ipify.org, CPU model, username, hostname, OS platform/release/architecture, RAM, uptime, MAC address, GPU, installed antivirus products via WMI, Active Directory domain membership, and local-administrator status) before deciding whether to proceed. The module includes a CIS-language self-destruct check: if Russian, Belarusian, Kazakh, Kyrgyz, Tajik, Uzbek, Armenian, Azerbaijani, or Georgian language settings are detected on the host, EtherRAT deletes itself and exits, a common anti-analysis/anti-targeting pattern associated with DPRK- and CIS-region-aligned operators avoiding 'home turf' infections.
Command execution is implemented via the JavaScript AsyncFunction constructor, giving the C2-supplied code full access to Node.js primitives (require, process, Buffer, child_process) and effectively arbitrary remote code execution with the privileges of the logged-in user. EtherRAT establishes persistence redundantly across up to five independent mechanisms on Linux/macOS targets (systemd user services, XDG autostart entries, cron j
Weaknesses (CWE)
CWE-1021, CWE-494, CWE-829
Target sectors: technology, finance, health, government administration, professionalservices
Target regions: North America, Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, T1589, T1587.001, T1583.006, T1586.003, T1566.001, T1566.004, T1199, T1204.002, T1059.007, T1059.004