PROBABLYPWNED
MalwareJuly 10, 20264 min read

EtherRAT Spreads via Fake IT Support Calls on Microsoft Teams

Unit 42 uncovers Node.js-based RAT using Ethereum smart contracts for C2. Attackers impersonate IT staff on Teams calls to install remote access tools before deploying EtherRAT.

James Rivera

Threat actors are calling employees on Microsoft Teams, impersonating IT support staff, and walking them through installing malware. Palo Alto Networks' Unit 42 documented the campaign this week, revealing a Node.js-based remote access trojan that uses Ethereum blockchain infrastructure to stay resilient against takedowns.

The attack combines phishing emails, social engineering over voice calls, and legitimate remote administration tools to deliver what researchers call EtherRAT—a cross-platform RAT that gives attackers full system control while making traditional C2 disruption nearly impossible.

How the Attack Works

The infection chain begins with a phishing email disguised as an employee survey containing a malicious PDF attachment. Shortly after the victim opens the document, they receive a Microsoft Teams voice call from an external account claiming to be a system administrator.

The caller's account—[email protected][.]com in documented cases—displays "External" badges that many users ignore. During the call, the attacker convinces the target to grant screen-sharing access and install legitimate remote tools like HopToDesk or AnyDesk.

Once remote access is established, the attacker downloads an MSI installer from their infrastructure (camorreado[.]click) that deploys EtherRAT.

This voice-call approach mirrors the Pink vishing campaign we covered earlier this week, where attackers used similar Teams-based social engineering to harvest Entra passkeys. The pattern is clear: threat actors have realized that voice adds legitimacy to phishing attempts.

What is EtherRAT?

EtherRAT is built on Node.js, making it cross-platform by design. Its capabilities include:

  • Command execution — Full shell access on victim systems
  • File manipulation — Read, write, and exfiltrate data
  • Persistence — Survives reboots through standard techniques
  • Modular architecture — Additional payloads can be deployed post-infection

What sets EtherRAT apart is its command-and-control mechanism. Rather than hardcoding server addresses that defenders can block, the malware queries Ethereum smart contracts to retrieve its active C2 infrastructure. Blockchain entries are effectively immutable—you can't file a takedown request with Ethereum.

This decentralized approach significantly complicates disruption efforts. Traditional C2 domains can be sinkholed within hours of discovery. Blockchain-based infrastructure has no single point of failure.

Active Development Indicators

Unit 42 discovered an open directory on the attackers' distribution server containing multiple malware installer versions labeled v1 through v9. This versioning suggests an active development cycle with regular updates—not a one-off campaign.

The researchers also noted that EtherRAT was previously documented in state-sponsored attacks exploiting the React2Shell vulnerability, indicating the tool may have origins in more sophisticated operations before being adapted for this campaign.

Mitigation Recommendations

Organizations should implement several controls to defend against this attack pattern:

  1. Restrict external Teams communication — Consider limiting voice calls from external accounts or requiring explicit approval
  2. Train staff on vishing — Employees should verify IT support requests through known channels, not accept unsolicited calls at face value
  3. Control remote tool installation — Application allowlisting can prevent unauthorized installation of AnyDesk, HopToDesk, and similar tools
  4. Monitor for MSI downloads — EDR should flag MSI packages downloaded from unfamiliar domains

The device code phishing surge we reported on last week shows that attackers are increasingly targeting authentication and trust relationships rather than purely technical vulnerabilities. Voice-based social engineering extends that trend into real-time manipulation.

For a broader overview of how these social engineering tactics work, see our phishing email examples guide—though this campaign demonstrates that the threat extends well beyond email.

Why This Matters

Microsoft Teams became ubiquitous during the pandemic, and organizations generally trust it as internal communication infrastructure. That trust is now being weaponized. When "IT support" calls through an official-looking Teams interface, the social engineering battle is already half won.

The Ethereum C2 component adds a technical wrinkle that defenders haven't fully solved. Blockchain-based malware infrastructure isn't new, but its appearance in a social-engineering-heavy campaign suggests the technique is maturing beyond experimental use.

Unit 42's findings are available on their GitHub repository with additional indicators of compromise.

Related Articles