9 versions
EtherRAT MSI installer variants (v1–v9) on open distribution server, confirming active campaign development as of June 26, 2026
5 payloads
staged delivery chain: MSI loader, Node.js runtime, 3 encrypted JS/DAT implant stages
0 hardcoded C2
EtherRAT resolves its command server via Ethereum smart contract — IP blocklists alone cannot disrupt it
31 seconds
time an EtherRAT operator took to diagnose, adapt, and recover from an authentication failure during a live campaign in the JADEPUFFER case

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

An active EtherRAT campaign documented by Palo Alto Networks Unit 42 is placing a fully capable remote access trojan inside financial and healthcare organizations by impersonating IT support staff in Microsoft Teams voice calls, using Ethereum smart contracts as its command-and-control backbone to evade every IP-based blocking mechanism defenders deploy.

The EtherRAT Microsoft Teams attack begins with a phishing email delivering a PDF lure. Seconds after the target opens the document, a Teams voice call arrives from an external account displaying as "System Administrator." The caller guides the victim through installing HopToDesk or AnyDesk for legitimate remote access, then uses that access to download a malicious MSI installer from camorreado[.]click. The MSI stages a Node.js runtime, decrypts three embedded payloads, and launches EtherRAT. From that point, the attacker has persistent, full-featured remote access including command execution, file theft, and credential harvesting.

The threat reaches organizations right now because EtherRAT's command-and-control infrastructure cannot be dismantled through conventional IP blacklisting or domain takedown. The malware retrieves its active C2 server address from a hardcoded Ethereum smart contract at address 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f. Blocking that address requires blocking all public Ethereum RPC endpoints, which are the same infrastructure used by legitimate Web3 applications and security tooling. Unit 42 discovered 9 MSI installer versions on the distribution server, the most recent updated June 26, 2026, confirming the campaign is under active development.

Financial services firms and healthcare organizations appear in Unit 42's concurrent campaign data as the primary targets. Both sectors run Microsoft 365 at scale, both depend on Teams for internal IT support, and both process the high-value credentials, financial data, and patient records that EtherRAT's operator is positioned to harvest once persistent access is established.

How Does the EtherRAT Microsoft Teams Attack Work?

The EtherRAT Microsoft Teams attack is a six-stage intrusion chain that exploits employee trust in corporate IT support to bypass technical controls and deliver a blockchain-backed implant.

Stage 1: Email Lure. The target receives a phishing email with a subject line referencing an "Employee Survey" and a malicious PDF attachment. The email content is designed to look like an internal HR communication rather than an external message.

Stage 2: Teams Voice Call. Within minutes of the target opening the PDF, an incoming Teams voice call arrives from an external account configured to display as "System Administrator." Microsoft Teams shows an "External unfamiliar" warning on cross-tenant calls, but most employees trained to trust IT support proceed with the call.

Stage 3: Social Engineering for Remote Access. The caller instructs the victim to install HopToDesk or AnyDesk, legitimate remote desktop tools that are not flagged by endpoint detection as malware. The attacker confirms screen-sharing using Teams' built-in screen control feature, forensically confirmed by the artifact CtrlVirtualCursorWin_000001E8A159B970 in session logs.

Stage 4: MSI Loader Download. With remote access established, the attacker downloads v7.msi (or another version) from camorreado[.]click directly on the victim's machine. This MSI is a custom loader, not EtherRAT itself.

Stage 5: Payload Staging. The MSI drops a Node.js runtime, then decrypts and executes three embedded payloads: stage2_payload1.cmd (loader bootstrapper), stage2_payload2.js (Node.js orchestrator), and stage2_payload3.dat (encrypted EtherRAT core). Two additional stages, stage3_payload1.js and stage4_payload1.js, complete the implant's capability initialization. The final implant writes a persistence registry key at Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup.

Stage 6: Ethereum C2 Resolution. EtherRAT queries a public Ethereum RPC endpoint, reads the live C2 server address stored in smart contract 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f, and begins beaconing. If blockchain resolution fails, EtherRAT falls back to the hardcoded domain necropatia[.]com.

All six stages use legitimate software, standard protocols, or publicly available blockchain infrastructure. No single step, viewed in isolation, unambiguously indicates compromise. Detection requires correlating the entire chain.

1

Phishing Email

PDF lure arrives with Employee Survey pretext; victim opens document

2

Teams Voice Call

External account impersonates System Administrator; cross-tenant warning displayed

3

Remote Access Granted

Victim installs HopToDesk or AnyDesk; attacker gains screen control via Teams

4

MSI Loader Download

Attacker downloads v7.msi from camorreado[.]click on victim machine

5

Five-Stage Payload Chain

Node.js runtime dropped; three encrypted payloads staged; registry persistence set

6

Ethereum C2 Resolution

EtherRAT queries smart contract for live C2 address; fallback to necropatia[.]com

What Is Ethereum Blockchain C2 and Why Can't You Simply Block It?

Ethereum blockchain C2, also called EtherHiding, is the technique that makes EtherRAT structurally resistant to the takedown methods that disrupt conventional malware infrastructure. Understanding it is essential for evaluating whether your current defenses can stop this campaign.

Standard malware hardcodes C2 server IP addresses or domain names into the binary. Defenders discover those addresses during malware analysis, submit them to threat intelligence feeds, and block them at the firewall or DNS layer. The malware operator must then recompile a new binary with a new address and re-infect victims, which is operationally expensive and exposes new infrastructure.

EtherRAT does not hardcode C2 addresses. Instead, it hardcodes a single Ethereum smart contract address: 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f. A smart contract is a program stored permanently on the Ethereum blockchain. EtherRAT queries a public Ethereum RPC node to read a variable stored in this contract. That variable contains the current C2 server URL. When the operator wants to rotate their C2 infrastructure, they submit a single transaction to update the contract variable. Every infected machine automatically begins connecting to the new address at its next beacon interval.

Blocking this mechanism requires blocking all outbound Ethereum RPC traffic. Public Ethereum nodes are operated by Infura, Alchemy, Cloudflare, and dozens of other providers on standard HTTPS port 443. Blocking Ethereum RPC wholesale disrupts legitimate Web3 applications, security tooling that queries blockchain data, and developer workflows in technology-heavy organizations.

The eSentire research on EtherRAT's SYS_INFO module confirms the C2 retrieval sequence: the implant makes periodic requests to public Ethereum nodes, receives the encoded C2 URL from the contract state, decodes it, and opens a persistent connection. Defender-visible behavioral indicators include periodic outbound HTTPS requests to Ethereum RPC provider domains such as infura.io or cloudflare-eth.com from node.exe processes that have no legitimate business justification on corporate endpoints.

For organizations in financial services and healthcare, the fallback domain necropatia[.]com provides a second detection opportunity. While EtherRAT prefers blockchain resolution, blocking this domain at the DNS and firewall layer forces fallback behavior that may be detectable through timing analysis of beacon intervals.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Which Sectors Are Actively Targeted and What Data Is at Risk?

Unit 42 identifies financial services and healthcare organizations as the sectors currently targeted by the EtherRAT Microsoft Teams campaign. Both sectors share the operational profile that makes this specific attack chain highly effective: large Microsoft 365 deployments, employee familiarity with Teams-based IT support workflows, and high-value data assets that justify the operational overhead of social engineering.

Financial organizations present credential and transaction data as primary targets. EtherRAT's confirmed capabilities include credential harvesting, file exfiltration, and arbitrary command execution. An EtherRAT implant inside a financial organization's endpoint has potential access to banking application credentials, OAuth tokens for financial SaaS platforms, internal RDP and VPN credentials, and file system contents including financial records and client data.

Healthcare organizations face a compound risk. HIPAA-regulated patient data sits alongside the operational systems that directly affect care delivery. An EtherRAT implant with persistent access can exfiltrate electronic health records, harvest credentials to clinical information systems, and serve as the initial access foothold for a follow-on ransomware deployment. Healthcare has remained the top ransomware target sector through the first half of 2026, with 30 confirmed incidents in June alone according to BlackFog's June 2026 State of Ransomware report.

The social engineering mechanism is particularly effective in both sectors because IT help desk impersonation is a known and trusted interaction. Employees at financial institutions and hospitals receive security awareness training about email phishing, but Teams voice calls from apparent IT staff trigger a different cognitive response. Microsoft's own detection research notes that the "External unfamiliar" warning displayed on cross-tenant calls is frequently dismissed by employees who assume the IT support team operates from a different tenant.

The campaign's active development, confirmed by the v1 through v9 installer variants on the distribution server, suggests the operator is iterating toward improved detection evasion. Each version increment likely represents a modification to payload structure, obfuscation method, or loader behavior in response to observed detection.

EtherRAT IOCs: Infrastructure and File Hashes

Unit 42 and GBHackers published the following indicators from the active EtherRAT campaign. Add these to your SIEM detection rules, DNS blocklists, and endpoint hash watchlists immediately. The Ethereum smart contract address and fallback domain are the two most actionable blocking opportunities.

The attacker email helpdesk@Progressive936.onmicrosoft.com confirms the operator registered a Microsoft 365 tenant under the "Progressive936" organization name specifically to conduct Teams calls. Microsoft tenant-level abuse reports submitted against this address will accelerate deactivation. Monitor your Teams admin logs for incoming calls or chat messages from external accounts under onmicrosoft.com domains that do not correspond to known vendor or partner tenants.

The most technically significant aspect of the campaign is its implementation of Blockchain based Dead Drop Resolving. Once the malicious MSI is executed, the malware does not reach out to any hardcoded C2 server, which could be easily blocklisted. Instead, it repetitively initiates a query to a public Ethereum RPC endpoint.

GBHackers security analysis of EtherRAT cross-tenant Teams campaign, July 2026

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

TTPs Mapped to MITRE ATT&CK

The EtherRAT Microsoft Teams campaign maps cleanly to confirmed MITRE ATT&CK techniques. Security teams running detection engineering should prioritize alerting on the T1566.001 and T1598.004 combination as the earliest detectable precursor, and build a second detection layer on T1059.007 (node.exe executing shell commands) as the post-compromise indicator.

T1566.001 — Phishing: Spearphishing Attachment. Initial access via phishing email containing malicious PDF lure.

T1598.004 — Phishing for Information: Social Engineering via Teams. Voice call from external tenant impersonating IT support to social-engineer remote access grant.

T1570 — Lateral Tool Transfer. Delivery of HopToDesk or AnyDesk remote management tools as legitimate cover for attacker access.

T1105 — Ingress Tool Transfer. MSI installer download from camorreado[.]click to victim machine via attacker-controlled remote session.

T1059.007 — Command and Scripting Interpreter: JavaScript. Node.js runtime execution of staged JS payloads as primary implant execution mechanism.

T1547 — Boot or Logon Autostart Execution. Registry key OneDriveSetup under HKCU...\Run ensures EtherRAT restarts on every logon.

T1568.003 — Dynamic Resolution: DNS Calculation. Ethereum smart contract used as blockchain dead-drop resolver to evade static C2 blocking.

T1071.001 — Application Layer Protocol: Web Protocols. Beaconing over HTTPS to Ethereum RPC endpoints and C2 server, blending with legitimate web traffic.

The combination of T1568.003 with the Teams social engineering chain (T1598.004) is the technique pairing that distinguishes this campaign from conventional phishing. Neither technique alone indicates EtherRAT; both together in the same event timeline, with a node.exe process spawn shortly after, constitute a high-confidence detection signal.

For comparison, the DragonForce ransomware campaign used Teams as a covert C2 channel post-compromise, embedding ransomware command traffic inside Teams messages. EtherRAT uses Teams only for initial social engineering — the actual C2 runs through the Ethereum blockchain and HTTPS. Both campaigns demonstrate that Microsoft Teams is now a primary attack surface for corporate intrusion chains.

How to Stop EtherRAT: Immediate Defensive Steps

The EtherRAT Microsoft Teams attack chain has seven controllable intervention points. Steps 1 through 3 address the social engineering entry point. Steps 4 through 6 address post-delivery detection and blocking. Step 7 addresses the persistence mechanism for organizations that have already been compromised.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why EtherRAT Microsoft Teams Attacks Are a Structural Problem for Enterprise Security

The EtherRAT Microsoft Teams attack succeeds because it weaponizes two things that enterprise security programs actively cultivate: employee trust in IT support interactions and legitimate collaboration tooling. Security awareness training teaches employees to report unsolicited emails. It does not train them to distrust voice calls from people who already have their name, know they just opened an IT document, and are calling from what appears to be an internal IT support account on the corporate communication platform.

Microsoft's cross-tenant "External unfamiliar" warning exists precisely to flag this attack vector, but its presence in the UI creates a false sense that the defense is the user's responsibility. The warning fires on every external call, including legitimate vendor calls and partner support lines. In organizations where external Teams calls from consultants, managed service providers, and SaaS vendors are routine, the warning has become ambient noise. Attackers understand this and design their lures to normalize the call in the first 30 seconds before the victim considers the external origin label.

The Ethereum blockchain C2 mechanism represents a deliberate arms race escalation. Conventional incident response playbooks treat C2 infrastructure takedown as a follow-on step after detection. EtherRAT makes that step structurally difficult: the smart contract address is permanent and stored across thousands of distributed Ethereum nodes. Law enforcement can request that hosting providers take down domains. There is no equivalent legal mechanism to force the Ethereum network to invalidate a smart contract. The operator retains full C2 capability as long as any Ethereum node is accessible from the victim network.

This campaign's connection to previous EtherRAT activity, including the ConsentFix OAuth campaign targeting Microsoft 365, reflects a broader pattern: sophisticated operators are building layered attack chains specifically against Microsoft 365 tenants, treating the Teams platform, the OAuth consent framework, and the identity layer as a unified attack surface rather than isolated products. Organizations running Microsoft 365 should treat Teams external access restrictions as a security control, not just a productivity configuration.

The 9 installer versions confirmed by Unit 42 indicate the operator is actively iterating to evade detection. Endpoint security platforms that caught v1 through v5 may not flag v7 or v9. Behavioral detection on the node.exe execution chain, the Ethereum RPC beaconing pattern, and the Teams external call correlation is more durable than hash-based detection for this threat.

The bottom line

EtherRAT Microsoft Teams attacks are actively hitting financial and healthcare organizations right now, using social engineering that employees have not been trained to recognize and blockchain C2 that standard IP blocking cannot disrupt. Three immediate actions: restrict or disable Teams external calls from unrecognized tenants today; block camorreado[.]click and necropatia[.]com at DNS; and hunt for node.exe processes making outbound connections to Ethereum RPC endpoints on corporate endpoints. Do all three before end of business Wednesday.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is EtherRAT malware?

EtherRAT is a cross-platform remote access trojan written in Node.js that gives attackers full remote control over compromised endpoints, including command execution, file manipulation, data theft, and credential harvesting. Its defining feature is its use of Ethereum smart contracts as a blockchain-based dead-drop resolver for command-and-control infrastructure, allowing the operator to rotate C2 servers without modifying the malware binary. EtherRAT is deployed in active campaigns targeting financial and healthcare organizations via fake Microsoft Teams IT support voice calls.

How does the EtherRAT campaign use Microsoft Teams?

The EtherRAT campaign uses Microsoft Teams as a social engineering channel, not as a C2 mechanism. Attackers send a phishing email with a PDF lure, then call the victim via Teams from an external account impersonating IT support, displaying as 'System Administrator.' They use Teams' screen-sharing feature to guide the victim through installing legitimate remote access tools (HopToDesk or AnyDesk), then use that remote access to download and execute the EtherRAT installer. The attacker email helpdesk@Progressive936.onmicrosoft.com is a confirmed indicator from the active campaign.

What is blockchain dead drop resolving and why does it matter?

Blockchain dead drop resolving (DDR) is a technique where malware stores its active C2 server address in a blockchain smart contract instead of hardcoding it in the binary. EtherRAT queries the Ethereum blockchain at contract 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f to retrieve the current C2 URL. The operator can update this URL at any time by submitting a transaction to the contract, and all infected machines automatically switch to the new C2 address. This makes IP and domain blocklisting ineffective because the C2 infrastructure can be rotated without touching any infected endpoint.

Which sectors does EtherRAT target?

Palo Alto Networks Unit 42 identifies financial services and healthcare organizations as the primary targets of the active EtherRAT campaign. Both sectors run Microsoft 365 at scale, rely on Teams-based IT support workflows that attackers impersonate, and hold high-value data including financial credentials, patient records, and operational system access. Healthcare has also been the top ransomware target sector throughout 2026, making EtherRAT initial access particularly high-risk because it can be used to stage follow-on ransomware deployment.

How do I detect EtherRAT on my network?

Detection requires correlating multiple behavioral indicators: node.exe processes executing shell commands on endpoints where Node.js has no legitimate use; outbound HTTPS connections from node.exe to Ethereum RPC provider domains (infura.io, cloudflare-eth.com); DNS or HTTP requests to camorreado[.]click or necropatia[.]com; the registry key Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup written by a non-Microsoft process; and incoming Teams calls from external onmicrosoft.com accounts not on your approved partner list. File hash detection is less reliable due to nine confirmed installer versions.

How do I block EtherRAT's Ethereum C2?

Blocking EtherRAT's primary C2 mechanism requires preventing node.exe from making outbound connections to Ethereum RPC endpoints. Add application-layer firewall rules blocking outbound traffic from node.exe to Ethereum RPC domains including infura.io, cloudflare-eth.com, mainnet.infura.io, and other public Ethereum node providers. The fallback C2 at necropatia[.]com is easier to block via DNS. Note that blocking Ethereum RPC wholesale may affect legitimate Web3 or security tooling in your environment.

How do I stop Teams social engineering attacks like EtherRAT?

Configure Microsoft Teams to restrict external calls and chats to approved tenant allow-lists via the Teams admin center External Access settings. Disable incoming calls from unknown external tenants if your business model allows it. Train employees that IT support will never initiate an unsolicited Teams call asking them to install remote access software, and that any such request should be verified through a known IT ticket number before compliance. Alert on Teams external call events from onmicrosoft.com domains not on your partner allow-list.

Is EtherRAT used by a state-sponsored threat actor?

Palo Alto Networks Unit 42 notes EtherRAT 'was used in state-sponsored attacks' in prior campaigns, but attributes the current Microsoft Teams fake IT support campaign to an unidentified threat actor. Attribution remains open. The sophistication of the Ethereum blockchain C2, the social engineering investment, and the active campaign development pace are consistent with a well-resourced operator targeting high-value sectors, but no confirmed nation-state attribution has been published for the July 2026 campaign.

Sources & references

  1. Palo Alto Unit 42: Fake IT Support Abuses Teams to Deliver EtherRAT (June 28, 2026)
  2. BleepingComputer: Fake IT support calls on Microsoft Teams push EtherRAT malware
  3. GBHackers: Hackers Abuse Cross-Tenant Teams Chat to Deliver EtherRAT
  4. Sysdig: EtherRAT Dissected — How a React2Shell Implant Delivers 5 Payloads Through Blockchain C2
  5. eSentire: EtherRAT and SYS_INFO Module — C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.