Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks
July 2, 2026
Chrome API Flaw Exposes Android Photos to Ransomware
July 2, 2026
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Home/Threats/EtherRAT Variant Uses Tftpd64 Installer to Steal Web3 Assets
Threats

EtherRAT Variant Uses Tftpd64 Installer to Steal Web3 Assets

Key Takeaways A new variant of EtherRAT malware is actively targeting Windows users through a trojanized Tftpd64 installer. This sophisticated attack bridges traditional Web2 malware capabilities...

Emy Elsamnoudy
Emy Elsamnoudy
April 30, 2026 4 Min Read
36 0

Key Takeaways

  • A new variant of EtherRAT malware is actively targeting Windows users through a trojanized Tftpd64 installer.
  • This sophisticated attack bridges traditional Web2 malware capabilities with Web3 asset theft, combining remote access, credential stealing, and cryptocurrency drainer functionalities.
  • The malware establishes persistence through a Windows Run registry key and performs stealthy system reconnaissance.
  • The attack is particularly dangerous as it targets IT administrators and network professionals who rely on Tftpd64, exploiting trust in common tools.

A more potent version of the EtherRAT malware is currently compromising Windows systems, utilizing a modified Tftpd64 installer as its delivery mechanism. This advanced threat represents a convergence of traditional Web2 malware tactics and Web3 cryptocurrency theft, as detailed in a recent analysis by LevelBlue SpiderLabs.

Table Of Content

  • Key Takeaways
  • How EtherRAT Establishes Persistence and Evades Detection
  • What You Should Do

Historically, the realms of conventional malware and crypto-centric attacks remained largely distinct. Tools designed for credential harvesting, botnet operations, or loader frameworks seldom intersected with fraudulent trading platforms or wallet-draining scripts. However, this separation has significantly eroded over the past two years.

Attackers are now leveraging infrastructure initially developed for credential theft to host cryptocurrency phishing sites. Concurrently, malware development groups are integrating crypto-drainer functionalities into their operations, establishing an additional revenue stream. The outcome is a hybrid attack model where a single campaign can simultaneously steal login credentials, maintain remote access, and deplete digital wallets.

LevelBlue SpiderLabs analysts have identified EtherRAT as a prime example of this evolving threat landscape. Initially documented as a JavaScript-based Node.js implant that targeted Linux servers by exploiting known server-side vulnerabilities, the malware has undergone a transformation. It is now a Windows-focused threat, distributed via malicious MSI installers.

In this latest iteration, EtherRAT was found embedded within a trojanized version of Tftpd64, a widely used TFTP server and administrative utility for Windows. The compromised installer was hosted on a deceptive GitHub repository, which mimicked the official project. It offered downloads labeled “Tftpd64 v4.74,” designed to mislead users into installing what appeared to be a legitimate software update.

This attack vector is particularly effective because it targets IT administrators and network professionals who frequently use Tftpd64 for routine system management tasks. Downloading the installer from the malicious repository provides attackers with a covert entry point into systems, where the perceived legitimacy of the tool often reduces security scrutiny. The malicious archive also contained suspicious files with .dat, .cmd, .ini, and .tmp extensions, strategically placed within user-accessible local application data folders to blend in with normal system content.

A key characteristic of this campaign is EtherRAT’s ability to bridge the gap between standard system compromise and blockchain-based financial theft. The malicious bundle contains multiple Ethereum RPC endpoints from providers such as Flashbots, Tenderly, LlamaRPC, and DRPC, alongside several Ethereum wallet addresses. These integrated components enable the malware to perform on-chain interactions, resolve command-and-control beacons using blockchain data, or prepare the groundwork for attacker-driven asset theft operations.

How EtherRAT Establishes Persistence and Evades Detection

Upon execution of the trojanized installer, EtherRAT creates a hidden directory within the local application data folder. It then deploys several staged components, including a self-contained Node.js runtime environment.

Bundling its own Node.js environment allows the malware to execute independently, without relying on any Node.js interpreter already installed on the system. This technique makes it significantly more difficult for conventional security tools to detect and flag unusual runtime activity.

The installer subsequently registers a persistence entry by modifying a Windows Run registry key. This entry forces conhost.exe to invoke node.exe in headless mode during every user logon, silently loading an obfuscated .dat file that serves as the primary malware payload.

After achieving persistence, EtherRAT initiates a quiet system reconnaissance phase. It employs PowerShell commands executed with suppressed windows and without profile loading, ensuring that no on-screen indicators alert the user. The malware gathers critical system information, including locale settings, GPU details, antivirus products registered with the Windows Security Center, Active Directory domain membership, and the host’s MachineGuid value.

Additionally, it downloads a supplementary Node.js runtime directly from the official Node.js distribution server using curl. The malware then contacts external domains, such as wpuadmin[.]shop, while encrypting its payload components using AES-256-CBC with embedded keys and initialization vectors.

What You Should Do

  • Always download software exclusively from official developer websites. Avoid using unverified third-party repositories or suspicious GitHub links, even if they appear legitimate.
  • Organizations should implement robust monitoring of Windows Run registry keys for any unusual entries, particularly those involving node.exe or headless execution flags.
  • Configure endpoint detection and response (EDR) tools to identify and alert on outbound network traffic to Ethereum RPC endpoints originating from non-browser processes.
  • Any system found executing Node.js processes silently or outside of a known, legitimate developer context should be immediately considered compromised and subjected to a thorough investigation.
  • Educate IT staff and end-users about the risks of supply chain attacks and the importance of verifying software sources.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical cPanel 0-Day Authentication Bypass Vulnerability Actively Exploited

Next Post

Critical SonicWall SonicOS Flaws Let Attackers Bypass Controls, Crash Firewalls

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us