For years, the cybersecurity landscape was divided: traditional malware (RATs and botnets) targeted system credentials, while crypto drainers targeted digital wallets. That gap has officially closed.
In April 2026, analysts at LevelBlue SpiderLabs identified a dangerous new variant of EtherRAT. What was once a Linux-based implant has evolved into a Windows-focused hybrid threat. By hiding inside a trojanized version of Tftpd64—a staple tool for network administrators—EtherRAT bridges the gap between conventional system compromise and blockchain-based financial theft.
The Lure: Trojanized “Tftpd64” on Fake GitHub Repos
The attack targets IT professionals and network admins who rely on trusted utilities.
- The Trap: Attackers created a fraudulent GitHub repository impersonating the official Tftpd64 project, offering a malicious download labeled “Tftpd64 v4.74.”
- The Payload: The installer appears legitimate but drops a bundle of anomalous files (
.dat,.cmd,.ini) into local application data folders. - Lowered Defenses: Because Tftpd64 is a known administrative tool, its network activity often bypasses the scrutiny usually applied to consumer software.
Technical Deep Dive: Persistence and Stealth
EtherRAT’s execution is a masterclass in “living off the land” and stealthy runtime environments.
1. Self-Contained Node.js Runtime
The malware bundles its own Node.js environment. This allows it to execute complex JavaScript payloads without needing a pre-installed interpreter on the victim’s machine, making it invisible to many standard security scans.
2. Registry Persistence
The installer registers a Windows Run key that forces conhost.exe to invoke node.exe in headless mode (no window) at every logon. This silently loads an obfuscated .dat file containing the core malware logic.
3. Blockchain-Based Command & Control (C2)
EtherRAT’s most distinctive feature is its use of the Ethereum blockchain for C2 resolution. Instead of hardcoding a server IP that can be blocked, it queries multiple Ethereum RPC endpoints (like Flashbots and LlamaRPC) to retrieve its instructions. This makes the malware’s communication almost impossible to sever without blocking legitimate Web3 infrastructure.
The Blended Threat: Systems + Wallets
Once persistence is established, EtherRAT conducts a dual-pronged operation:
- System Reconnaissance: It uses suppressed PowerShell commands to collect system locale, GPU details, antivirus status, and Active Directory membership.
- On-Chain Theft: The malware is equipped to resolve attacker beacons through blockchain data and prepare “drainer” operations. If it identifies crypto-related activity or browser-based wallets, it can pivot to asset extraction using embedded Ethereum wallet addresses.
How to Protect Your Network
As malware moves toward a “blended” model, defenders must adapt their monitoring strategies.
- Verify Your Sources: Only download administrative tools like Tftpd64 from the official developer website. Avoid “star-history” GitHub clones that look new or have suspicious maintainers.
- Monitor Registry Keys: Specifically, watch for
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runentries that executenode.exewith headless flags. - Block Unexpected RPC Traffic: Unless your organization specifically develops Web3 applications, monitor or block non-browser processes (like
node.exeorcurl) that attempt to contact Ethereum RPC providers (e.g.,api.tenderly.co,rpc.flashbots.net). - Investigate Silent Node.js: Treat any instance of
node.exerunning in the background outside of a developer’s environment as a high-confidence indicator of compromise.
Conclusion: The New Era of Malware
EtherRAT represents the maturation of the “drainer economy.” It is no longer enough to protect your login credentials; attackers are now using your system’s trusted management tools to reach into your digital wallet. For IT administrators, the tool you use to manage the network may now be the very thing that betrays it.
