A newly identified malware campaign has raised concerns among cybersecurity experts after attackers began distributing an advanced form of malicious software through a fake Windows utility installer. The threat, known as EtherRAT, reportedly combines conventional malware techniques with cryptocurrency-focused attacks, creating a more dangerous and difficult-to-detect threat for Windows users.
Security researchers from LevelBlue SpiderLabs explained that cybercriminal operations had traditionally remained divided between standard malware activity and cryptocurrency-related fraud. Credential-stealing malware, botnets, and remote-access tools generally operated independently from wallet-draining schemes and fake crypto platforms. However, analysts indicated that the distinction between the two sectors has narrowed significantly over the past two years.
Researchers observed that attackers are increasingly reusing infrastructure originally developed for credential theft to support cryptocurrency phishing operations. At the same time, malware operators have reportedly started integrating digital wallet draining capabilities into broader cybercrime campaigns as an additional source of revenue.
The latest EtherRAT campaign reportedly demonstrates how attackers can simultaneously steal login credentials, maintain unauthorized remote access, and target cryptocurrency wallets within a single coordinated attack.
Fake GitHub Repository Used to Spread Malware
According to analysts, EtherRAT initially emerged as a JavaScript-based Node.js implant that targeted Linux servers through known vulnerabilities. The malware has now evolved into a Windows-focused threat distributed through malicious MSI installers.
In the latest campaign, attackers reportedly embedded EtherRAT into a compromised version of Tftpd64, a widely used TFTP server and administration utility for Windows environments. The malware-laced software was distributed through a fraudulent GitHub repository designed to imitate the legitimate Tftpd64 project page.
The fake repository allegedly offered downloads labeled as Tftpd64 v4.74, making the installer appear authentic and encouraging unsuspecting users to install the malicious package as though it were a legitimate software update.
Cybersecurity researchers warned that the campaign is particularly effective because it targets IT administrators and network professionals who regularly use Tftpd64 for system management and maintenance tasks. Since trusted administrative tools often attract less scrutiny from security systems, attackers may gain easier access to enterprise environments.
Persistence Mechanisms and System Reconnaissance
Investigators reported that the malicious archive contained suspicious files with extensions such as .dat, .cmd, .ini, and .tmp. These files were allegedly stored in user-accessible directories within the local application data folder to blend in with legitimate system activity and avoid detection.
After installation, the malware reportedly establishes persistence through a Windows Run registry key. Researchers indicated that this mechanism forces conhost.exe to launch node.exe in headless mode during every user logon, silently loading an obfuscated .dat file that functions as the primary malware payload.
Following persistence setup, EtherRAT allegedly initiates a concealed reconnaissance process using PowerShell commands configured to run without visible windows or profile loading. Analysts explained that this approach allows the malware to gather intelligence from infected systems without alerting users.
The malware reportedly collects a broad range of system information, including device locale settings, GPU details, antivirus products registered within the Windows Security Center, Active Directory domain membership status, and the system’s MachineGuid identifier.
Researchers also stated that EtherRAT downloads an additional Node.js runtime directly from the official Node.js distribution server through curl commands. The malware subsequently communicates with external domains, including wpuadmin[.]shop, while encrypting payload components using AES-256-CBC encryption with embedded keys and initialization vectors.
Blockchain Integration Raises Security Concerns
Researchers highlighted that EtherRAT represents a significant evolution in cybercrime because it directly connects traditional system compromise methods with blockchain-enabled financial theft operations.
The malware bundle reportedly included multiple Ethereum RPC endpoints associated with Flashbots, Tenderly, LlamaRPC, and DRPC, along with several Ethereum wallet addresses. Analysts suggested that these components could allow attackers to conduct blockchain interactions, establish command-and-control communication channels through blockchain data, or facilitate cryptocurrency asset theft.
Once executed, the trojanized installer reportedly creates a hidden directory within the local application data folder and deploys multiple staged components into the infected system. These components include a fully self-contained Node.js runtime environment.
By carrying its own Node.js runtime and executing processes silently in the background, EtherRAT can reportedly avoid traditional detection methods and make malicious activity significantly harder for security teams to identify.
Cybersecurity experts advised organizations to verify software downloads exclusively through official developer websites and avoid unverified GitHub repositories that cannot be confirmed as authentic sources. Security teams were also encouraged to monitor Windows Run registry keys for suspicious node.exe entries or headless execution flags.
Analysts further recommended configuring endpoint protection systems to identify outbound traffic directed toward Ethereum RPC endpoints from non-browser applications. Researchers added that any system found silently running Node.js outside of a legitimate development environment should be treated as a potential compromise and investigated immediately.
