216.73.217.22

EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

· Published 26/03/2026 21:08 · Modified 27/03/2026 00:17

Export JSON

Essential information

Published
26/03/2026 21:08
Modified
27/03/2026 00:17
Tags
2026-03-26 backdoor cdn-like beaconing cis language check ethereum etherhiding etherrat host fingerprinting it support scams node.js sys_info module
Related entities
10 observables, 1 intrusion sets (apt), 18 techniques (mitre), 1 malware, 16 others

Description

, a -based linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses '' to store C2 addresses in smart contracts, making infrastructure resilient to takedowns. It communicates using to blend with normal traffic. Initial access varied, including ClickFix and via Microsoft Teams. A performs comprehensive for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (10)

  • 185.218.19.162
  • www-flow-submission-management.shepherdsestates.uk
  • 294c597c89023093e1e175949f5104f887b89cd8e1cf1d3192ee9032739f259e
  • 5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73
  • 2edf1ab615b489e228a89c617d24f66d1e780a6d5e30f6886608dfe79325acf8
  • 03c4e54cc775ab819752dc5d420ab2fed03bd445c3ce398d021031100b334fb4
  • 83b1f11c6a0bd267e415136440559131d2d4ace9a65dc221ea3b144fe0e7199b
  • b1ee812e7c786c8696f913595658e57706d97a66ca7b7634f421f5c552e7002b
  • 7dd1bf7a58774a081062f5c8f183d24f95c433805e0bf73280c0adba1c71390d
  • 47f74749cfcd55c8dacde2cc9b4c45282bec7a93ee19b7b81b452c99758d3370

Intrusion sets (APT) (1)

  • North Korean APT group
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 27/03/2026 01:16 · Modified 27/03/2026 01:16

Techniques (MITRE) (18)

  • T1057
    Process Discovery
  • T1012
    Query Registry
  • T1071.001
    Web Protocols
  • T1518
    Software Discovery
  • T1016
    System Network Configuration Discovery
  • T1204.002
    Malicious File
  • T1027
    Obfuscated Files or Information
  • T1105
    Ingress Tool Transfer
  • T1059
    Command and Scripting Interpreter
  • T1133
    External Remote Services
  • T1102.002
    Bidirectional Communication
  • T1547.001
    Registry Run Keys / Startup Folder
  • T1033
    System Owner/User Discovery
  • T1497.001
    System Checks
  • T1140
    Deobfuscate/Decode Files or Information
  • T1027.002
    Software Packing
  • T1083
    File and Directory Discovery
  • T1082
    System Information Discovery

Malware (1)

  • EtherRAT
    Family
    Published 16/06/2026 14:27 · Modified 16/06/2026 14:27

Others (16)

  • Finance
  • Business Services
  • Retail
  • Technology
  • hayesmed.com
  • rpc.payload.de
  • shepherdsestates.uk
  • regancontrols.com
  • jariosos.com
  • justtalken.com
  • euclidrent.com
  • aurineuroth.com
  • salinasrent.com
  • o-parana.com
  • mebeliotmasiv.com
  • palshona.com

External references