{
  "name": "EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons",
  "slug": "etherrat-sys_info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons",
  "description": "EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, making infrastructure resilient to takedowns. It communicates using CDN-like beaconing to blend with normal traffic. Initial access varied, including ClickFix and IT Support scams via Microsoft Teams. A SYS_INFO module performs comprehensive host fingerprinting for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details.",
  "published": "2026-03-26T20:08:19+00:00",
  "created_at": "2026-03-26T20:08:19+00:00",
  "modified_at": "2026-03-26T23:17:17+00:00",
  "created_at_opencti": "2026-03-26T20:08:19+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-26",
    "backdoor",
    "cdn-like beaconing",
    "cis language check",
    "ethereum",
    "etherhiding",
    "etherrat",
    "host fingerprinting",
    "it support scams",
    "node.js",
    "sys_info module"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "185.218.19.162"
      },
      {
        "id": "",
        "name": "www-flow-submission-management.shepherdsestates.uk"
      },
      {
        "id": "",
        "name": "294c597c89023093e1e175949f5104f887b89cd8e1cf1d3192ee9032739f259e"
      },
      {
        "id": "",
        "name": "5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73"
      },
      {
        "id": "",
        "name": "2edf1ab615b489e228a89c617d24f66d1e780a6d5e30f6886608dfe79325acf8"
      },
      {
        "id": "",
        "name": "03c4e54cc775ab819752dc5d420ab2fed03bd445c3ce398d021031100b334fb4"
      },
      {
        "id": "",
        "name": "83b1f11c6a0bd267e415136440559131d2d4ace9a65dc221ea3b144fe0e7199b"
      },
      {
        "id": "",
        "name": "b1ee812e7c786c8696f913595658e57706d97a66ca7b7634f421f5c552e7002b"
      },
      {
        "id": "",
        "name": "7dd1bf7a58774a081062f5c8f183d24f95c433805e0bf73280c0adba1c71390d"
      },
      {
        "id": "",
        "name": "47f74749cfcd55c8dacde2cc9b4c45282bec7a93ee19b7b81b452c99758d3370"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:5f3b76a45f86aba0",
        "name": "EtherRAT",
        "slug": "etherrat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "8dfe5d2b-33dc-43fb-b763-d1e773df2fae",
        "name": "North Korean APT group",
        "slug": "north-korean-apt-group"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Business Services"
      },
      {
        "id": "",
        "name": "Retail"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "hayesmed.com"
      },
      {
        "id": "",
        "name": "rpc.payload.de"
      },
      {
        "id": "",
        "name": "shepherdsestates.uk"
      },
      {
        "id": "",
        "name": "regancontrols.com"
      },
      {
        "id": "",
        "name": "jariosos.com"
      },
      {
        "id": "",
        "name": "justtalken.com"
      },
      {
        "id": "",
        "name": "euclidrent.com"
      },
      {
        "id": "",
        "name": "aurineuroth.com"
      },
      {
        "id": "",
        "name": "salinasrent.com"
      },
      {
        "id": "",
        "name": "o-parana.com"
      },
      {
        "id": "",
        "name": "mebeliotmasiv.com"
      },
      {
        "id": "",
        "name": "palshona.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69c5a04382b357bdc81343b4",
    "https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons"
  ]
}