← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.788
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
An active campaign is deploying a JavaScript remote access trojan that impersonates 44 widely used administrative tools, targeting enterprise administrators, DevOps engineers, and security analysts through poisoned search results. The malware uses Ethereum blockchain infrastructure to resolve its command-and-control server, making traditional domain-blocking and law enforcement takedown ineffective. Every successful infection lands on a privileged account, creating immediate risk of lateral movement, credential theft, and enterprise-wide compromise.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
EtherRAT operator (unattributed), KISA/KrCERT tracked threat actor (unattributed)
TTP Sophistication
HIGH
19 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Windows administrative tools (PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer, ProcDump, Autoruns, Process Explorer, Process Monitor, TCPView, RAMMap, WinDbg, DebugView, BgInfo, Disk2vhd, Windows ADK, RSAT, IIS Crypto, Dameware, SecureCRT, SuperPuTTY, ScreenConnect, Bitvise SSH Client, TeraTerm, FSLogix, AppLocker, PRTG Network Monitor, Beyond Compare, KDiff3, VMware Tools, and others); GitHub platform; Ethereum RPC infrastructure; Node.js runtime
Are You Exposed?
⚠
Your industry is targeted by EtherRAT operator (unattributed), KISA/KrCERT tracked threat actor (unattributed) → Heightened risk
⚠
You use products/services from Windows administrative tools (PsExec → Assess exposure
⚠
19 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
This campaign specifically hunts the people who hold the keys to your enterprise — system administrators, security analysts, and DevOps engineers — meaning a single successful infection can give attackers privileged access to credentials, internal systems, and sensitive data across the organization. The blockchain-based command infrastructure cannot be blocked by the standard controls most organizations rely on, so conventional defenses will not stop an active infection once it is present. Depending on what the compromised administrator accounts can access, the downstream exposure includes regulatory breach notification obligations, operational disruption from lateral movement, and potential data exfiltration affecting customers or partners.
You Are Affected If
Your administrators, DevOps engineers, or security analysts use internet search to find and download tools such as PsExec, AzCopy, Sysmon, LAPS, ProcDump, RSAT, or any of the 44 impersonated utilities rather than pulling from a pre-approved internal repository
Node.js is installed or can be installed on administrative workstations without restriction
Outbound connections from endpoints to Ethereum RPC providers (infura.io, cloudflare-eth.com, or equivalent) are not blocked or alerted on at the network perimeter
Application allowlisting (AppLocker, WDAC) is not enforced on privileged workstations, allowing unsigned scripts and executables to run
GitHub is accessible from administrative systems without content inspection or domain allowlisting policies that distinguish verified organizational repos from arbitrary public repositories
Board Talking Points
Attackers are specifically targeting the IT and security staff who have the highest system access in our organization, using fake versions of tools those staff members search for and download routinely.
We recommend immediately restricting how administrative tools are sourced and blocking outbound connections to blockchain infrastructure on non-developer systems — actions that can be implemented within 48 hours.
Without these controls, a single download by one administrator could give attackers a foothold that conventional security tools cannot detect or block through standard domain-blocking measures.
Technical Analysis
EtherRAT is a JavaScript-based RAT distributed through a dual-stage GitHub distribution chain and SEO-poisoned search results.
The campaign impersonates 44 legitimate Windows administrative tools including PsExec, AzCopy, Sysmon, LAPS, ProcDump, RSAT, and others commonly used by IT and security staff.
Victims are lured via typosquatted or cloned GitHub repositories and fake download pages that serve trojanized Node.js packages or scripts.
Post-execution, the malware queries an Ethereum smart contract via RPC calls to resolve its current C2 address, a technique related to EtherHiding, bypassing DNS-based detection and domain takedown. Because the C2 pointer lives on the blockchain, it cannot be disrupted by sinkholing or registrar action. Relevant CWEs: CWE-829 (inclusion of functionality from untrusted control sphere), CWE-693 (protection mechanism failure), CWE-494 (download of code without integrity check). MITRE coverage includes T1568 (dynamic resolution), T1102 /T1102.002 (web service C2), T1036 /T1036.005 (masquerading), T1059.007 (JavaScript execution), T1204.002 (malicious file execution), T1608.001 /T1608.004 (staged capabilities via GitHub), T1078.002 (valid privileged accounts post-compromise), T1021 (lateral movement), T1027 (obfuscation), T1071 /T1071.001 (application layer protocol), T1195 /T1195.002 (supply chain compromise). No CVE assigned. No vendor patch applicable, the malware exploits trust in legitimate platforms, not a software vulnerability. Tracked by Atos Threat Research Center; parallel tracking by KISA/KrCERT. Threat actors remain unattributed.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to CISO, legal counsel, and external IR retainer if any compromised administrator account has Active Directory Domain Admin, Azure Global Administrator, or equivalent cloud tenant admin privileges; if evidence exists of lateral movement (Event ID 4648 or 4624 Type 3 logons from the compromised host to additional systems); or if regulated data (PII, PHI, PCI-scoped cardholder data) was accessible to the compromised account, triggering breach notification obligations under GDPR (72-hour), HIPAA, or applicable state breach notification laws.
1
Step 1: Containment — Block outbound connections to Ethereum JSON-RPC providers (infura.io, cloudflare-eth.com, eth.llamarpc.com, ankr.com) and deny TCP ports 8545/8546 from all non-developer endpoints at the perimeter firewall and host-based firewall. Alert on any policy exception requests. (Cite: NIST AC-4 — Information Flow Enforcement / CIS 4.4 — Implement and Manage a Firewall on Servers / CIS 4.5 — Implement and Manage a Firewall on End-User Devices / D3-PBWSAM — Proxy-based Web Server Access Mediation)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST SI-4 (System Monitoring)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
On Windows endpoints without EDR: run 'netstat -ano | findstr ":8545 :8546"' to identify active JSON-RPC sessions. Deploy a Windows Firewall GPO rule blocking outbound TCP 8545/8546 enterprise-wide immediately. For DNS-layer blocking of infura.io, cloudflare-eth.com, eth.llamarpc.com without a commercial DNS filter, add entries to the enterprise DNS server's response policy zone (RPZ) or, for standalone systems, push a hosts file entry via GPO mapping these domains to 0.0.0.0. Use Wireshark or Windows built-in 'netsh trace start capture=yes' on suspected hosts to capture JSON-RPC POST bodies containing 'eth_call' or 'eth_getLogs' method strings as confirmation of active C2 beacon activity.
Preserve Evidence
Before implementing blocks, capture full packet captures (PCAPs) of outbound HTTPS traffic to Ethereum RPC providers — specifically look for HTTP POST bodies to /v3/ endpoints on infura.io or mainnet.infura.io containing JSON-RPC payloads with 'method':'eth_call' or 'method':'eth_getLogs'; these calls are how EtherRAT retrieves its C2 server address from a smart contract. Export DNS query logs showing resolution of infura.io, cloudflare-eth.com, or eth.llamarpc.com from administrative workstations. Preserve Windows Firewall logs (C:\Windows\System32\LogFiles\Firewall\pfirewall.log) showing destination IPs and ports prior to rule enforcement. Timestamp all captures — the blockchain query sequence immediately precedes C2 callback and establishes the causal chain for forensic reporting.
2
Step 2: Detection — Query EDR and audit logs for: (1) node.exe spawned from Downloads, Temp, or AppData on systems without an approved Node.js business justification; (2) GitHub ZIP or clone activity for any of the 44 impersonated tool names followed within minutes by JavaScript execution; (3) outbound HTTPS from non-developer hosts containing JSON-RPC method strings (eth_call, eth_getLogs); (4) Windows Event ID 4698 (scheduled task created) or 7045 (new service installed) generated by node.exe, wscript.exe, or cscript.exe; (5) files named identically to Sysinternals or Microsoft admin tools located outside expected installation paths. Correlate process lineage showing browser spawning a downloaded executable that then spawns node.exe. (Cite: NIST AU-2 — Event Logging / NIST AU-3 — Content Of Audit Records / NIST AU-6 — Audit Record Review, Analysis, And Reporting / NIST AU-12 — Audit Record Generation / CIS 8.2 — Collect Audit Logs / D3-SFA — System File Analysis / D3-LAM — Local Account Monitoring / D3-SICA — System Init Config Analysis)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without EDR, deploy Sysmon with a config that captures Event ID 1 (Process Create) filtering on Image paths containing 'node.exe' with ParentImage in '%USERPROFILE%\Downloads', '%TEMP%', or '%APPDATA%'; and Event ID 11 (File Create) for .js files created in those directories. Use the following PowerShell one-liner to scan all endpoints for suspicious scheduled tasks created by node.exe or wscript.exe: 'Get-ScheduledTask | Where-Object {$_.Actions.Execute -match "node|wscript|cscript"} | Select-Object TaskName, TaskPath, @{N="Execute";E={$_.Actions.Execute}} | Export-Csv tasks_audit.csv'. For GitHub ZIP download correlation, query proxy logs (Squid, BlueCoat, or Windows IIS proxy) for GET requests to codeload.github.com/*/zip/* where the repository name matches any of the 44 impersonated tool names (PsExec, AzCopy, Sysmon, LAPS, etc.) followed within a 5-minute window by outbound HTTPS to an Ethereum RPC provider from the same source IP. Write a Sigma rule detecting this exact sequence: parent_process=browser OR download_manager → child_process=node.exe → network_destination=infura.io|cloudflare-eth.com.
Preserve Evidence
Pull Windows Security Event Log Event ID 4688 (Process Creation) with command-line logging enabled, filtering on 'node.exe' spawned from non-standard paths such as C:\Users\*\Downloads\*, C:\Users\*\AppData\Local\Temp\*, or any path containing a tool name from the 44 impersonated list (e.g., 'PsExec', 'AzCopy', 'Sysmon'). Collect Sysmon Event ID 3 (Network Connection) records where the Image field is node.exe and the DestinationHostname resolves to any Ethereum RPC provider. Export browser download history (Chrome: C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History; Edge: C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History) to correlate SEO-poisoned search result clicks with subsequent downloads. Collect Windows Task Scheduler operational log (Microsoft-Windows-TaskScheduler/Operational, Event ID 106 — Task Registered, Event ID 200 — Task Started) and filter for tasks registered within the same time window as node.exe execution. Capture the contents of %APPDATA%\npm, %APPDATA%\node_modules, and any package.json files found in download directories, as these will reveal the trojanized package structure.
3
Step 3: Eradication — Remove all identified trojanized tool installations. Verify cryptographic hashes of all 44 impersonated tools against official vendor sources (Microsoft Sysinternals, Microsoft Azure, vendor download pages) before reinstating. Cross-reference installed software against the authorized software inventory and remove any entry not present in it. Disable and delete all persistence mechanisms (scheduled tasks, services) created by the malware. Revoke and rotate credentials immediately for any administrator account that executed unverified tools. Quarantine affected systems. (Cite: NIST AC-2 — Account Management / NIST AC-6 — Least Privilege / CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / D3-CRO — Credential Rotation / D3-FMBV — File Magic Byte Verification / D3-SICA — System Init Config Analysis)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AC-2 (Account Management)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For hash verification of all 44 impersonated tools without a dedicated file integrity tool: use PowerShell 'Get-FileHash -Algorithm SHA256 <filepath>' against every installed instance and compare against hashes published on Microsoft Sysinternals (https://learn.microsoft.com/en-us/sysinternals/), Microsoft Azure documentation, and individual vendor download pages. Script this at scale with: 'Get-ChildItem -Path C:\ -Recurse -Include psexec.exe,azcopy.exe,sysmon.exe,procdump.exe,autoruns.exe -ErrorAction SilentlyContinue | ForEach-Object { [PSCustomObject]@{Path=$_.FullName; Hash=(Get-FileHash $_.FullName -Algorithm SHA256).Hash} } | Export-Csv hash_audit.csv'. For credential revocation without a PAM tool: use Active Directory PowerShell module to force password reset ('Set-ADAccountPassword -Reset') and disable accounts pending reissuance for all admin accounts confirmed on affected systems. Remove trojanized scheduled tasks with 'schtasks /delete /tn <TaskName> /f' and audit residual registry run keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run for node.exe or wscript.exe entries.
Preserve Evidence
Before removing any persistence mechanisms, capture complete registry exports of HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, and HKLM\SYSTEM\CurrentControlSet\Services for any service entries pointing to node.exe or JavaScript files. Export the full scheduled task XML for every task identified as malicious using 'schtasks /query /fo XML /tn <TaskName>'. Image or copy the trojanized tool directory (the full folder as downloaded from the fake GitHub repository) before deletion — this preserves the package.json, the malicious .js payload file, and any embedded Ethereum smart contract ABI or wallet address hardcoded for C2 resolution. Collect Windows Security Event Log Event ID 4720 (User Account Created), 4728/4732/4756 (Member Added to Security Group), and 4648 (Logon with Explicit Credentials) for the period following confirmed node.exe execution to identify any accounts created or elevated by the RAT during its access window.
4
Step 4: Recovery — Re-image compromised endpoints rather than performing in-place cleanup, given privileged account targeting and lateral movement risk. Reissue all credentials for accounts confirmed or suspected to have run on compromised systems. Restore from known-good backups only after confirming file system integrity. Monitor reinstated systems for 30 days for recurrence of Ethereum RPC outbound traffic or anomalous JavaScript execution. Retain audit records from the incident to support after-action analysis. (Cite: NIST AU-11 — Audit Record Retention / NIST AU-9 — Protection Of Audit Information / CIS 5.1 — Establish and Maintain an Inventory of Accounts / CIS 6.2 — Establish an Access Revoking Process / D3-CRO — Credential Rotation / D3-CH — Credential Hardening)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST CP-10 (System Recovery and Reconstitution)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AC-2 (Account Management)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 5.2 (Use Unique Passwords)
CIS 7.3 (Perform Automated Operating System Patch Management)
Compensating Control
For a 2-person team without automated imaging infrastructure: prioritize re-imaging administrative workstations first given EtherRAT's explicit targeting of administrator, DevOps, and security analyst accounts — a compromised privileged endpoint represents the highest lateral movement risk. Use Windows Deployment Services (WDS) or a pre-staged WinPE USB with a known-good base image. Before reinstating any account, verify Active Directory group memberships were not modified during the compromise window by running 'Get-ADGroupMember -Identity "Domain Admins" -Recursive' and comparing against a pre-incident baseline. For 30-day post-recovery monitoring without EDR: deploy Sysmon on reinstated systems and forward Event ID 1 (Process Create for node.exe) and Event ID 3 (Network Connection to Ethereum RPC destinations) to a central Windows Event Forwarding (WEF) collector using a free subscription. Use osquery with a scheduled query checking for node.exe in non-standard paths every 15 minutes: 'SELECT pid, name, path, cmdline FROM processes WHERE name = "node.exe" AND path NOT LIKE "C:\\Program Files\\nodejs\\%"'.
Preserve Evidence
Before re-imaging, acquire a full forensic disk image using FTK Imager (free) or 'dd' via WinPE to preserve all file system artifacts for post-incident analysis — this is critical because EtherRAT's JavaScript payload and the Ethereum smart contract address used for C2 resolution are forensic evidence needed to track campaign infrastructure. Capture a memory dump using ProcDump ('procdump.exe -ma -o node.exe <PID>') for any running node.exe processes before shutdown, as the decrypted C2 address resolved from the blockchain will be present in heap memory and is not recoverable post-process-termination. Document all account SIDs present in the NTUSER.DAT hive of the compromised profile (accessible via Registry Editor or 'reg export HKEY_USERS') to ensure complete coverage of accounts requiring credential rotation, including cached credentials for cloud services like Azure (AzCopy tokens) that may have been accessible to the RAT.
5
Step 5: Post-Incident — Enforce a verified software sourcing policy: all administrative tools must be downloaded from official vendor sites with hash verification before execution, and Node.js must be removed or blocked from administrative workstations without a documented business justification via the software inventory. Enforce application allowlisting to prevent unsigned or unrecognized JavaScript and Node.js execution on administrative workstations. Require MFA on all administrative accounts. Conduct targeted awareness training for IT and security staff on SEO-poisoning tactics specific to tool-name search queries and typosquatted GitHub repositories. Review and harden automated GitHub download pipelines against unverified repository sources. (Cite: NIST AC-6 — Least Privilege / NIST AU-13 — Monitoring For Information Disclosure / CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.2 — Ensure Authorized Software is Currently Supported / CIS 4.6 — Securely Manage Enterprise Assets and Software / CIS 5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts / CIS 6.5 — Require MFA for Administrative Access / D3-MFA — Multi-factor Authentication / D3-UAP — User Account Permissions / D3-EBWSAM — Endpoint-based Web Server Access Mediation)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-7 (Least Functionality)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 2.3 (Address Unauthorized Software)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
For AppLocker enforcement targeting EtherRAT's specific delivery mechanism: create an AppLocker Executable Rule blocking node.exe execution from %USERPROFILE%\Downloads\*, %TEMP%\*, and %APPDATA%\* while allowing it only from C:\Program Files\nodejs\ if Node.js is a legitimate business tool; separately, create a Script Rule blocking .js file execution by wscript.exe or cscript.exe system-wide on administrative workstations via GPO (Computer Configuration → Windows Settings → Security Settings → Application Control Policies). For GitHub workflow auditing without a commercial SAST tool: run 'grep -r "github.com" .github/workflows/ Makefile Jenkinsfile *.sh *.ps1' across all CI/CD repositories to identify any pipeline steps cloning or downloading from GitHub without pinned commit SHAs or hash verification. For SEO-poisoning awareness training, build a tabletop exercise specifically using the 44 tool names from this campaign — have staff demonstrate how they would download PsExec or AzCopy and verify it is authentic before running it, using only the Microsoft Sysinternals page or official Azure documentation as the source.
Preserve Evidence
For the lessons-learned record, document the exact GitHub repository URLs and account names used in this campaign (if identified during investigation) so they can be submitted to GitHub Trust & Safety for takedown and added to threat intelligence platforms as indicators. Preserve the Ethereum smart contract address used for C2 resolution — this is a permanent, immutable blockchain record that can be queried indefinitely via Etherscan to track future campaign activity; record the contract address and the specific function call or event log the malware used to retrieve the C2 IP. Compile a diff of all scheduled tasks, services, and registry run keys present on affected systems versus a clean baseline image — this delta is the definitive persistence artifact inventory for this campaign and should be converted into a YARA rule targeting the task names or service descriptions used by EtherRAT for use in future threat hunting.
Recovery Guidance
Re-image all confirmed-compromised administrative workstations from a known-good baseline image rather than attempting remediation in place — EtherRAT's JavaScript payload executing under a privileged account context makes it impossible to rule out secondary persistence mechanisms without a clean rebuild. After reissuing all credentials, specifically verify that Azure service principals, AzCopy SAS tokens, and any API keys accessible from the compromised session have been rotated, as these are high-value targets for a RAT specifically impersonating Azure tooling like AzCopy. Monitor all reinstated systems for 30 days using Sysmon Event ID 1 and 3 alerts scoped to node.exe and Ethereum RPC destinations, and query the identified smart contract address on Etherscan weekly to detect any infrastructure updates the threat actor pushes to the same contract.
Key Forensic Artifacts
Ethereum smart contract address and JSON-RPC call logs — the specific contract address hardcoded in the EtherRAT JavaScript payload, recoverable from the malicious .js file in the download directory and from heap memory of a running node.exe process; query this address on Etherscan to retrieve the C2 IP the contract returned, providing permanent campaign infrastructure attribution
GitHub repository download artifacts — browser history entries (Chrome: C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History; Edge equivalent path) showing navigation to a fake GitHub repository page for one of the 44 impersonated tools, plus the downloaded ZIP or cloned directory in %USERPROFILE%\Downloads\ containing package.json and the malicious JavaScript entry point
Sysmon Event ID 1 (Process Create) and Event ID 3 (Network Connection) records — node.exe process creation events showing parent process (browser or file explorer), full command line, working directory in a non-standard path, and subsequent network connection events to infura.io, cloudflare-eth.com, or eth.llamarpc.com with destination port 443
Scheduled task and service persistence XML — full XML export of any scheduled tasks or Windows services registered by node.exe or wscript.exe, captured from Task Scheduler operational log (Event ID 106) and the registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ and HKLM\SYSTEM\CurrentControlSet\Services\
Active Directory authentication logs for the compromised privileged account — Windows Security Event Log Event ID 4624 (Successful Logon), 4648 (Logon with Explicit Credentials), and 4728/4732/4756 (Group Membership Changes) scoped to the administrator account that executed the trojanized tool, covering the window from first node.exe execution forward, to establish the full lateral movement and privilege escalation timeline
Detection Guidance
Ground all detection in NIST AU-2 (Event Logging) and AU-12 (Audit Record Generation): ensure the following event types are explicitly defined in your logging policy and are generating records across all administrative endpoints — process creation with full command-line arguments, network connection events, scheduled task creation (Windows Event ID 4698), and service installation (Windows Event ID 7045).
Primary behavioral indicators (AU-3 — Content Of Audit Records must capture who, what, when, where for each):
— node.exe or wscript.exe spawning from user-writable paths (Downloads, Temp, AppData) on endpoints where Node.js is not in the authorized software inventory (CIS 2.1).
Flag immediately; these systems have no approved Node.js business purpose.
— Outbound HTTPS connections to Ethereum JSON-RPC providers (infura.io, cloudflare-eth.com, eth.llamarpc.com, ankr.com) or any host on TCP 8545/8546 from non-developer endpoints.
Inspect proxy logs (D3-PBWSAM) for JSON request bodies containing eth_call or eth_getLogs method strings.
— Process lineage pattern: browser process → downloaded executable matching an impersonated tool name → node.exe child process. Correlate using AU-3-compliant records that capture parent-child process relationships.
— Windows Event ID 4698 or 7045 where the creating process is node.exe, wscript.exe, or cscript.exe. Apply D3-SICA (System Init Config Analysis) to evaluate all new scheduled task and service startup configurations against a known-good baseline.
Secondary behavioral indicators:
— Files named identically to any of the 44 impersonated tools (PsExec.exe, AzCopy.exe, Sysmon.exe, ProcDump.exe, RAMMap.exe, WinDbg.exe, etc.) located outside expected installation paths. Apply D3-FMBV (File Magic Byte Verification) to confirm file type matches the declared extension — trojanized packages may present as executables wrapping JavaScript payloads.
— Apply D3-SFA (System File Analysis) to detect modification of scheduled task XML files, service registry keys, or startup configuration files by unexpected processes.
— GitHub repository clone or ZIP download activity for tool names matching the impersonated list, followed within a short interval (minutes) by JavaScript execution on the same host. Correlate proxy logs with process creation logs using AU-8 (Time Stamps) to establish sequence.
— Apply D3-LAM (Local Account Monitoring) to flag any local account privilege escalation or new local account creation occurring within the same session window as node.exe execution from a non-standard path.
AU-6 (Audit Record Review, Analysis, And Reporting): define a review frequency and alert threshold for the above indicators. Automated correlation rules should alert on the Ethereum RPC outbound pattern within minutes of occurrence. AU-13 (Monitoring For Information Disclosure) supports monitoring for typosquatted or cloned GitHub repository names matching the impersonated tool list in proxy and DNS logs.
AU-11 (Audit Record Retention): retain all logs from endpoints where indicators are detected for a minimum period consistent with your incident response and forensic requirements. Do not allow log rotation to overwrite evidence before eradication is confirmed.
Note: The KB does not include NIST SI-family controls in the provided reference data. SI-4 (System Monitoring) is a commonly applicable control for this threat category but cannot be cited as KB-verified from the data provided. Recommend verifying SI-4 applicability against your full NIST 800-53 Rev. 5 implementation before including it in formal documentation.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
2 domains
1 url
Type Value Enrichment Context Conf.
⌘ DOMAIN
infura.io
VT
US
Legitimate Ethereum RPC provider abused for C2 resolution via smart contract queries — flag anomalous outbound connections from non-developer endpoints, not the domain itself
MEDIUM
⌘ DOMAIN
cloudflare-eth.com
VT
US
Legitimate Ethereum RPC endpoint potentially abused for blockchain-based C2 resolution — treat outbound connections from administrative workstations as suspicious
MEDIUM
🔗 URL
https://github.com/[spoofed-repo]
VT
US
Campaign uses cloned or typosquatted GitHub repositories impersonating legitimate tool distributors — specific repository URLs not publicly confirmed in available sources; flag GitHub downloads of tool names matching the 44 impersonated utilities from repos with no commit history
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (2)
2 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: EtherRAT Weaponizes Ethereum Smart Contracts and GitHub Facades to Hunt Enterpri
let malicious_domains = dynamic(["infura.io", "cloudflare-eth.com"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Malicious URLs hosted on legitimate platforms. The domain is safe — the specific URL path is the indicator.
KQL Query Preview
Read-only — detection query only
// Threat: EtherRAT Weaponizes Ethereum Smart Contracts and GitHub Facades to Hunt Enterpri
// Specific malicious URLs on shared platforms
let suspicious_urls = dynamic(["https://github.com/[spoofed-repo]"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (suspicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (8)
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Falcon API IOC Import Payload (2 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "infura.io",
"source": "SCC Threat Intel",
"description": "Legitimate Ethereum RPC provider abused for C2 resolution via smart contract queries \u2014 flag anomalous outbound connections from non-developer endpoints, not the domain itself",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
},
{
"type": "domain",
"value": "cloudflare-eth.com",
"source": "SCC Threat Intel",
"description": "Legitimate Ethereum RPC endpoint potentially abused for blockchain-based C2 resolution \u2014 treat outbound connections from administrative workstations as suspicious",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["infura.io", "cloudflare-eth.com"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1102.002
T1204.002
T1036.005
T1021
T1078.002
T1608.001
+13
AC-17
AC-3
CM-7
IA-2
SI-3
SI-4
+9
MITRE ATT&CK Mapping
T1102.002
Bidirectional Communication
command-and-control
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1021
Remote Services
lateral-movement
T1608.001
Upload Malware
resource-development
T1543
Create or Modify System Process
persistence
T1568
Dynamic Resolution
command-and-control
T1027
Obfuscated Files or Information
defense-evasion
T1102
Web Service
command-and-control
T1071
Application Layer Protocol
command-and-control
T1195
Supply Chain Compromise
initial-access
T1036
Masquerading
defense-evasion
T1608.004
Drive-by Target
resource-development
T1195.002
Compromise Software Supply Chain
initial-access
T1566
Phishing
initial-access
Guidance Disclaimer
