← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
EtherRAT Targeting Windows Disguised as a Game Mod Installer
WHITE AlienVault 2026-01-21 Modified: 2026-02-20
26
IOCs
MEDIUM VOLUME
A Windows variant of EtherRAT, a JavaScript-based malware, has been discovered disguised as game mod installers. The malware uses MSI files to create and execute obfuscated scripts that decrypt and run the main payload. EtherRAT retrieves its Command and Control (C2) server addresses dynamically through Ethereum smart contracts, employing anti-analysis techniques and establishing persistence via Registry Run keys. The malware's infrastructure has been linked to the Tsundere Botnet, sharing C2 servers and smart contract similarities. Analysis revealed multiple contract addresses and wallet addresses associated with the attacker, indicating an expanding and evolving operation targeting both Windows and Linux systems.
msiobfuscationethereum123 stealerwindowssmart contractc2 communicationtsundere botnetpersistencecve-2025-55182game modetherrat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
EtherRAT Tsundere Botnet 123 Stealer
Indicators of Compromise (26)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 235a93c7a4b79135e4d3c220f9313421 2026-01-21
FileHash-MD5 9ad04bff8166acf87b6c2fbec7836e8b 2026-01-21
FileHash-MD5 9d90e34207f56d44c5ea6e68563b8642 2026-01-21
FileHash-MD5 a7ed440bb7114fad21abfa2d4e3790a0 2026-01-21
FileHash-MD5 c83b2b849903ca1b5a848e55782f321b 2026-01-21
FileHash-SHA1 207fad9b5374b01571ff1f3b004a19441547e2e7 2026-01-21
FileHash-SHA1 70e506e6e26d6fadb73f3c55d77b18605e459932 2026-01-21
FileHash-SHA1 ba2483bba2a8fefa0bf2792ae75d2a4d6c94f2e5 2026-01-21
FileHash-SHA1 bfecfe1b206b170662f09df64c91d5fe7ce261b6 2026-01-21
FileHash-SHA1 ea8a316b91f1c11dce7c0ab8913856f3945064b9 2026-01-21
FileHash-SHA256 1f715a97657a547e9eb55878bb0b946c3a2d43b6d467ca60e816853d4d727828 2026-01-21
FileHash-SHA256 2de16fea5af78d5f1fdb8039efd7fb319d8e233cea8b4c20ea1f13ad380aea1d 2026-01-21
FileHash-SHA256 4508a26a0a42966606cd59c558284e28e9e06b4db89fe0f8b50fd9599f4f73f1 2026-01-21
FileHash-SHA256 606dd4d7b4f7755136f53ed442a1eebd1c36a671eaf91c494a1627788b64e819 2026-01-21
FileHash-SHA256 81c3d0efb9da0dd0cd7b06e1692053fdf5561b916cb2502ccc4c31f997c352f8 2026-01-21
FileHash-SHA256 926ee406adc542dc21a971d4112d958f91413222fd97d2ee0422ac0568a80aa9 2026-01-21
FileHash-SHA256 9383c992abecdab53cc798940d296c0f8a5c0efe5ee8161d7c71a2dd23e374e2 2026-01-21
FileHash-SHA256 98da27f6667782ac7e4b629cd8bc09b193635a109f8e521ea8e2fb7ce15c2ea1 2026-01-21
FileHash-SHA256 b8d9ef87b3a7a2cf2509317296baf127100a14838d03e1c158b0d5f17ec5b41b 2026-01-21
FileHash-SHA256 e38362aca79b16d588174e64a33cc688504c845d882624243fde90abd578bd7d 2026-01-21
FileHash-SHA256 e76867e7ec438165e2d629a0bfe2ae53f5320831cc1f8115b2a4f869f5240950 2026-01-21
domain api-gateway-softupdate.io 2026-01-21
domain gateway001kir.com 2026-01-21
domain jariosos.com 2026-01-21
hostname rpc.flashbots.net 2026-01-21
hostname rpc.payload.de 2026-01-21
References (1)
↗ https://www.enki.co.kr/en/media-center/blog/etherrat-targeting-windows-disguised-as-a-game-mod-installer