Ethereum Smart Contracts Used to Bypass Security Measures

March 26, 2026

A recent report from eSentire reveals a new EtherRAT malware campaign exploiting Ethereum smart contracts to conceal command-and-control (C2) infrastructure. This malicious activity was unearthed during an incident response investigation in the retail sector in March 2026, where threat actors utilized a Node.js-based backdoor post initial access acquisition.

The malware in question allows attackers to remotely execute commands, extract extensive system data, and pilfer cryptocurrency wallets and cloud credentials. Of particular significance is the adoption of a tactic called EtherHiding, where C2 addresses are stored within Ethereum smart contracts, facilitating cost-effective rotation of infrastructure while sidestepping traditional shutdown efforts.

The infiltration techniques observed by investigators ranged from ClickFix assaults to IT support scams via Microsoft Teams, culminating in QuickAssist remote access. In the ClickFix scenario, malevolent entities resorted to indirect command execution to deploy a nefarious script through Windows tools, circumventing security measures.

The propagation chain entailed multiple steps involving encrypted payloads and obfuscated scripts leading to the installation of EtherRAT and the establishment of persistence through Windows registry keys.

Upon integration, EtherRAT retrieved C2 addresses from Ethereum blockchain smart contracts via public RPC providers, communicating with the server using traffic that mimicked normal content delivery network requests, thereby masquerading as legitimate network activity.

Furthermore, the malware executed a mechanism post connection to the command server, collecting intricate system details for target profiling. This encompassed the extraction of the public IP address, CPU and GPU information, operating system and hardware identifiers, details of antivirus software, and domain and administrator status. Notably, EtherRAT verified system language settings, self-deleting upon identification of specific languages associated with the CIS region.

The report advised organizations to consider disabling select Windows utilities, educating staff to recognize IT support scams, and potentially blocking cryptocurrency RPC providers commonly exploited by threat actors.

In conclusion, the integration of Ethereum smart contracts into EtherRAT operations highlights a concerning evolution in malware tactics, underlining the need for enhanced vigilance and proactive security measures to combat these sophisticated cyber threats.