EtherRAT Variant Uses Tftpd64 Installer for Web Trojanized Bridge

A new, more dangerous variant of the EtherRAT malware is actively targeting Windows users, deploying through a trojanized Tftpd64 installer. This sophisticated attack establishes a bridge between traditional Web2 malware and Web3 theft, as revealed in a

For years, traditional malware and crypto-focused attacks operated in separate spaces. Credential-stealing tools, botnets, and loader frameworks rarely crossed paths with fake trading portals or wallet-draining scripts.

Over the past two years, however, that gap has closed significantly. Attackers now reuse infrastructure built for credential theft to host cryptocurrency phishing pages, while malware groups add drainer tools to their operations as an extra revenue source.

The result is a blended attack model where a single campaign can steal login credentials, maintain remote access, and drain digital wallets at the same time.

LevelBlue SpiderLabs analysts identified EtherRAT as a clear example of this shift. Originally documented as a JavaScript-based Node.js implant targeting Linux servers through known server-side vulnerabilities, the malware has since evolved into a Windows-focused threat delivered through malicious MSI installers.

In this latest case, EtherRAT was embedded inside a trojanized copy of Tftpd64, a widely used TFTP server and administration tool for Windows.

The compromised version was hosted on a fake GitHub repository that impersonated the official project, offering downloads labeled “Tftpd64 v4.74” to trick users into installing what appeared to be a legitimate update.

The attack is especially effective because it targets IT administrators and network professionals who regularly rely on Tftpd64 for routine system management.

Downloading the installer file from the malicious repository gives attackers a quiet entry point into systems where trusted tool activity can lower security scrutiny.

The archive also included anomalous files such as .dat, .cmd, .ini, and .tmp extensions, placed inside user-accessible paths under the local application data folder to blend in with normal system content.

What makes this campaign particularly notable is how EtherRAT bridges the gap between conventional system compromise and blockchain-based financial theft.

Embedded inside the malicious bundle are multiple Ethereum RPC endpoints from Flashbots, Tenderly, LlamaRPC, and DRPC, alongside several Ethereum wallet addresses.

These components allow the malware to conduct on-chain interactions, resolve command-and-control beacons through blockchain data, or prepare the ground for asset-theft operations driven by the attacker.

How EtherRAT Establishes Persistence and Evades Detection

Once a user runs the trojanized installer, EtherRAT creates a hidden directory inside the local application data folder and drops multiple staged components, including a self-contained Node.js runtime.

Bundling its own Node.js environment allows the malware to execute without relying on any system-installed interpreter, making it harder for security tools to flag unusual runtime activity.

The installer then registers a persistence entry through a Windows Run registry key that forces conhost.exe to invoke node.exe in headless mode at every logon, silently loading an obfuscated .dat file as the actual malware payload.

After establishing persistence, EtherRAT begins a quiet system reconnaissance sequence using PowerShell commands that run with suppressed windows and no profile loading, ensuring the user sees nothing on screen.

The malware collects details such as system locale, GPU name, antivirus products registered with the Windows Security Center, Active Directory domain membership, and the host’s MachineGuid value.

It also downloads an additional Node.js runtime directly from the official Node.js distribution server using curl, then contacts external domains including wpuadmin[.]shop while encrypting its payload components with AES-256-CBC using bundled keys and initialization vectors.

Organizations should verify software downloads only through official developer websites and avoid any GitHub repositories that are not confirmed as the original source.

Security teams should monitor Windows Run registry keys for suspicious entries involving node.exe or headless execution flags, and endpoint protection tools should be configured to detect outbound traffic to Ethereum RPC endpoints from non-browser processes.

Any system found running Node.js silently outside of a developer context should be treated as a potential compromise and investigated without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.