Ethereum Smart Contracts Used by Malware for Command Infrastructure Rotation

A recent investigation into a March 2026 incident response in the retail sector has uncovered a novel tactic employed by attackers. Researchers have discovered that a Node.js-based backdoor was deployed after initial access was gained, and this backdoor enabled attackers to execute commands remotely, collect system data, and steal cryptocurrency wallets and cloud credentials.

The most notable development is the use of EtherHiding, a technique that stores command-and-control (C2) addresses inside Ethereum smart contracts. This allows operators to rotate infrastructure cheaply and avoid traditional takedown efforts.

Investigators observed several methods used to gain initial access, including ClickFix attacks and IT support scams conducted over Microsoft Teams. The infection chain involved multiple stages, including encrypted payloads and obfuscated scripts that ultimately deployed EtherRAT and established persistence through Windows registry keys.