EtherRAT Variant Uses Tftpd64 Installer to Steal Web3 Assets
Key Takeaways A new variant of EtherRAT malware is actively targeting Windows users through a trojanized Tftpd64 installer. This sophisticated attack bridges traditional Web2 malware capabilities...
Key Takeaways
- A new variant of EtherRAT malware is actively targeting Windows users through a trojanized Tftpd64 installer.
- This sophisticated attack bridges traditional Web2 malware capabilities with Web3 asset theft, combining remote access, credential stealing, and cryptocurrency drainer functionalities.
- The malware establishes persistence through a Windows Run registry key and performs stealthy system reconnaissance.
- The attack is particularly dangerous as it targets IT administrators and network professionals who rely on Tftpd64, exploiting trust in common tools.
A more potent version of the EtherRAT malware is currently compromising Windows systems, utilizing a modified Tftpd64 installer as its delivery mechanism. This advanced threat represents a convergence of traditional Web2 malware tactics and Web3 cryptocurrency theft, as detailed in a recent analysis by LevelBlue SpiderLabs.
Table Of Content
Historically, the realms of conventional malware and crypto-centric attacks remained largely distinct. Tools designed for credential harvesting, botnet operations, or loader frameworks seldom intersected with fraudulent trading platforms or wallet-draining scripts. However, this separation has significantly eroded over the past two years.
Attackers are now leveraging infrastructure initially developed for credential theft to host cryptocurrency phishing sites. Concurrently, malware development groups are integrating crypto-drainer functionalities into their operations, establishing an additional revenue stream. The outcome is a hybrid attack model where a single campaign can simultaneously steal login credentials, maintain remote access, and deplete digital wallets.
LevelBlue SpiderLabs analysts have identified EtherRAT as a prime example of this evolving threat landscape. Initially documented as a JavaScript-based Node.js implant that targeted Linux servers by exploiting known server-side vulnerabilities, the malware has undergone a transformation. It is now a Windows-focused threat, distributed via malicious MSI installers.
In this latest iteration, EtherRAT was found embedded within a trojanized version of Tftpd64, a widely used TFTP server and administrative utility for Windows. The compromised installer was hosted on a deceptive GitHub repository, which mimicked the official project. It offered downloads labeled “Tftpd64 v4.74,” designed to mislead users into installing what appeared to be a legitimate software update.
This attack vector is particularly effective because it targets IT administrators and network professionals who frequently use Tftpd64 for routine system management tasks. Downloading the installer from the malicious repository provides attackers with a covert entry point into systems, where the perceived legitimacy of the tool often reduces security scrutiny. The malicious archive also contained suspicious files with .dat, .cmd, .ini, and .tmp extensions, strategically placed within user-accessible local application data folders to blend in with normal system content.
A key characteristic of this campaign is EtherRAT’s ability to bridge the gap between standard system compromise and blockchain-based financial theft. The malicious bundle contains multiple Ethereum RPC endpoints from providers such as Flashbots, Tenderly, LlamaRPC, and DRPC, alongside several Ethereum wallet addresses. These integrated components enable the malware to perform on-chain interactions, resolve command-and-control beacons using blockchain data, or prepare the groundwork for attacker-driven asset theft operations.
How EtherRAT Establishes Persistence and Evades Detection
Upon execution of the trojanized installer, EtherRAT creates a hidden directory within the local application data folder. It then deploys several staged components, including a self-contained Node.js runtime environment.
Bundling its own Node.js environment allows the malware to execute independently, without relying on any Node.js interpreter already installed on the system. This technique makes it significantly more difficult for conventional security tools to detect and flag unusual runtime activity.
The installer subsequently registers a persistence entry by modifying a Windows Run registry key. This entry forces conhost.exe to invoke node.exe in headless mode during every user logon, silently loading an obfuscated .dat file that serves as the primary malware payload.
After achieving persistence, EtherRAT initiates a quiet system reconnaissance phase. It employs PowerShell commands executed with suppressed windows and without profile loading, ensuring that no on-screen indicators alert the user. The malware gathers critical system information, including locale settings, GPU details, antivirus products registered with the Windows Security Center, Active Directory domain membership, and the host’s MachineGuid value.
Additionally, it downloads a supplementary Node.js runtime directly from the official Node.js distribution server using curl. The malware then contacts external domains, such as wpuadmin[.]shop, while encrypting its payload components using AES-256-CBC with embedded keys and initialization vectors.
What You Should Do
- Always download software exclusively from official developer websites. Avoid using unverified third-party repositories or suspicious GitHub links, even if they appear legitimate.
- Organizations should implement robust monitoring of Windows Run registry keys for any unusual entries, particularly those involving
node.exeor headless execution flags. - Configure endpoint detection and response (EDR) tools to identify and alert on outbound network traffic to Ethereum RPC endpoints originating from non-browser processes.
- Any system found executing Node.js processes silently or outside of a known, legitimate developer context should be immediately considered compromised and subjected to a thorough investigation.
- Educate IT staff and end-users about the risks of supply chain attacks and the importance of verifying software sources.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.