EtherRAT Targeting Windows Disguised as a Game Mod Installer
Essential information
- Published
- 21/01/2026 12:36
- Modified
- 21/01/2026 23:18
- Tags
- 123 stealer 2026-01-21 CVE-2025-55182 c2 communication ethereum etherrat game mod msi obfuscation persistence smart-contract tsundere botnet windows
- Related entities
- 12 observables, 14 techniques (mitre), 3 malware, 5 others
Description
A Windows variant of EtherRAT, a JavaScript-based malware, has been discovered disguised as game mod installers. The malware uses MSI files to create and execute obfuscated scripts that decrypt and run the main payload. EtherRAT retrieves its Command and Control (C2) server addresses dynamically through Ethereum smart contracts, employing anti-analysis techniques and establishing persistence via Registry Run keys. The malware's infrastructure has been linked to the Tsundere Botnet, sharing C2 servers and smart contract similarities. Analysis revealed multiple contract addresses and wallet addresses associated with the attacker, indicating an expanding and evolving operation targeting both Windows and Linux systems.