THREATNOIR
Subscribe
Back to Feed
MalwareJun 1, 2026

EtherRAT brought blockchain-backed C2 into this intrusion. A malicious MSI masquerading as Sysin...

EtherRAT malware deployed via fake Sysinternals MSI uses blockchain C2 communications.

Read at source

Summary

A malicious MSI installer disguised as Sysinternals RAMMap deployed EtherRAT, a remote access trojan that leverages EtherHiding to retrieve command-and-control configuration updates hosted on the Ethereum blockchain. After initial compromise, the malware pivoted to using TryCloudflare infrastructure for continued command delivery.

Indicators of Compromise

  • malware — EtherRAT
  • malware — EtherHiding

Entities

Sysinternals RAMMap (product)Ethereum blockchain (technology)