Unit 42 Exposes EtherRAT: Teams Calls Deliver Blockchain-Backed RAT

Unit 42 exposed an active campaign using fake Microsoft Teams IT support calls to install EtherRAT, a Node.js RAT whose C2 runs on Ethereum smart contracts.
Table of Contents
    Add a header to begin generating the table of contents

    Palo Alto Networks Unit 42 disclosed an active campaign in which attackers abuse Microsoft Teams external voice call functionality to impersonate corporate IT support staff, ultimately deploying a remote access trojan whose command-and-control infrastructure runs on the Ethereum blockchain — making it impervious to the domain seizures and IP blocks that typically neutralize conventional malware operations. The campaign has already produced at least nine distinct versions of its malware loader, a sign of active and iterative development.

    How EtherRAT Reaches Enterprise Endpoints via Teams Calls

    The attack chain does not begin with Microsoft Teams. Initial contact arrives through a phishing email carrying an “Employee Survey” lure and a malicious PDF attachment. Shortly after the victim opens the document, they receive a Teams voice call from an external tenant account — an account outside the victim’s organization, flagged by Microsoft with its standard “External unfamiliar” warning label. The caller impersonates a System Administrator and walks the victim through a convincing technical troubleshooting process that ends with malware installation.

    The social engineering is deliberately layered. The email establishes a pretext; the Teams call provides live human engagement that overcomes the skepticism a victim might apply to a link alone. The “External unfamiliar” warning exists in the Teams interface, but callers who impersonate credible IT scenarios can condition victims to disregard it as a standard disclaimer for external support providers.

    The Malicious MSI and Node.js Loader Chain That Delivers EtherRAT

    After the attacker establishes trust via the Teams call, they direct the victim to install a malicious MSI file — designated v7.msi in Unit 42’s analysis — served from a threat-actor-controlled distribution server. The MSI does not install EtherRAT directly. Instead it acts as a multi-stage loader: it downloads a legitimate Node.js runtime, decrypts embedded payloads, and then launches EtherRAT.

    Unit 42’s investigation of the campaign’s distribution server revealed an open directory exposing installer versions v1 through v9 — at least nine active iterations of the loader. The progression of versions indicates the threat actors are actively monitoring detection rates and refining the loader with each iteration, incorporating anti-detection adjustments based on how security tools respond to prior versions.

    EtherRAT’s capabilities include arbitrary command execution, file system access and manipulation, credential and data theft, and persistent backdoor access to the compromised endpoint. The malware is cross-platform, built on Node.js in a way that allows deployment across operating systems without significant code changes.

    Why Ethereum Smart Contracts Make EtherRAT’s C2 Infrastructure Uncancellable

    Conventional remote access trojans retrieve their command-and-control server address from a domain name or hardcoded IP. Defenders and law enforcement have established effective processes for seizing C2 domains and sinkholing DNS resolution to kill malware communications. EtherRAT’s architecture bypasses this entirely.

    When EtherRAT initializes, it contacts Ethereum smart contracts to retrieve its active C2 server address. Smart contracts on the Ethereum blockchain are immutable — once deployed, their code and stored data cannot be altered or deleted by any external party, including law enforcement, registrars, or hosting providers. There is no domain to seize, no registrar to contact, no hosting provider to compel. An attacker who controls the smart contract can update the C2 address at any time without any interaction that defenders can disrupt.

    This architecture means that traditional incident response actions — blocking the malware’s known C2 domain, reporting it to a registrar, or requesting a hosting provider takedown — have no effect on EtherRAT’s ability to communicate with its operators. Defenders must instead focus on detecting the malware on endpoints before it establishes its blockchain-based C2 connection.

    Enterprise Exposure and Defensive Posture Against Teams-Based Social Engineering

    Any organization that permits external Microsoft Teams voice calls without strict allow-listing or caller verification policies is exposed to this attack vector. The initial phishing email establishes the lure; the Teams call is the delivery mechanism for social engineering that overcomes victim hesitation.

    Organizations should review their Teams external access policies to assess whether external voice calls from unknown tenants are permitted. Endpoint security controls should be evaluated for detection coverage against the malicious MSI loader and Node.js-delivered payloads. Given the nine-version iteration pattern, signatures tied to specific loader builds will have a short effective window before the next version is deployed.

    Unit 42’s disclosure on July 6 represents the first public documentation of this specific campaign and EtherRAT’s Teams-based delivery method.

    Related Posts