EtherRAT malware hides in fake Tftpd64 installer to target Windows users

A new EtherRAT variant is targeting Windows users through a fake Tftpd64 installer that was hosted on a malicious GitHub repository. The campaign shows how attackers are mixing traditional remote access malware with Web3-focused infrastructure.

LevelBlue SpiderLabs said the trojanized installer impersonated the legitimate Tftpd64 project and offered downloads labeled as Tftpd64 v4.74. Users who downloaded the ZIP or MSI file from the fake repository received a bundle containing EtherRAT alongside files that looked like normal application components.

The attack mainly matters because Tftpd64 is a tool used by IT administrators, network engineers, and support teams. A compromised installer for such a utility can give attackers access to systems that often sit close to important infrastructure.

At a glance

Item	Details
Threat	EtherRAT Windows variant
Delivery method	Trojanized Tftpd64 installer
Target platform	Windows
Impersonated software	Tftpd64 v4.74
Main execution method	Bundled Node.js runtime
Persistence method	Windows Run registry key
Notable infrastructure	Ethereum RPC endpoints and attacker-linked wallet data

Why the fake Tftpd64 installer is dangerous

Tftpd64 is a lightweight open-source tool that includes TFTP, DHCP, DNS, SNTP, and Syslog server functions, plus a TFTP client. Because admins use it for routine network work, a fake installer can look believable to the right target.

The malicious package came from a GitHub repository that copied the appearance of the real project. That kind of software impersonation can trick users who search for tools quickly or rely on unofficial download links.

Once installed, EtherRAT created a hidden directory under the local application data path and dropped several staged files. LevelBlue observed file types such as .dat, .cmd, .ini, .tmp, and JavaScript stagers, which helped the malware blend into normal-looking local files.

How EtherRAT runs on Windows

EtherRAT uses Node.js to execute its JavaScript-based payload. The malware bundle included its own Node.js runtime, which means it did not need Node.js to be installed on the victim’s computer.

This design helps the malware stay portable. It also reduces obvious warning signs because the attacker controls the runtime and payload structure inside the malicious installer.

LevelBlue said the installer registered persistence through a Windows Run registry key. That entry forced conhost.exe to run node.exe in headless mode at logon and load an obfuscated .dat file as the real payload.

What EtherRAT collects from infected systems

• System locale information
• GPU details
• Antivirus products registered in Windows Security Center
• Active Directory domain membership
• Logged-in session status
• MachineGuid values
• Host and environment details useful for later intrusion steps

The malware used PowerShell commands with hidden windows and no profile loading. This allowed it to collect system details without showing obvious prompts to the user.

LevelBlue also found that the malware contacted domains such as wpuadmin[.]shop and used encrypted configuration elements. The payload components were protected with AES-256-CBC using bundled keys and initialization vectors.

Why this attack connects Web2 malware with Web3 theft

EtherRAT does not behave like a simple crypto drainer by itself. LevelBlue noted that this case did not show direct draining capability inside the implant alone.

However, the sample included multiple Ethereum RPC endpoints, including Flashbots, Tenderly, LlamaRPC, DRPC, MEV-related endpoints, and public RPC aggregators. It also contained Ethereum wallet addresses, which suggests the malware could support on-chain interactions or later Web3-focused activity.

This makes the campaign part of a wider shift in cybercrime. Attackers are no longer keeping credential theft, remote access malware, crypto phishing, and wallet-draining infrastructure in separate lanes.

What defenders should monitor

• Unexpected Tftpd64 installers downloaded from unofficial GitHub repositories
• Suspicious files under %LOCALAPPDATA%
• Hidden Node.js execution on non-developer machines
• Windows Run keys that launch conhost.exe, node.exe, or obfuscated .dat files
• PowerShell commands using hidden windows and no-profile execution
• Outbound traffic to Ethereum RPC endpoints from unusual processes
• Connections to suspicious domains such as wpuadmin[.]shop

Organizations should also check whether administrators downloaded Tftpd64 from unofficial repositories. Any machine that ran the malicious installer should be treated as potentially compromised.

Because the malware can establish persistence, deleting the downloaded installer may not remove the infection. Security teams should inspect Run registry entries, local application data folders, process history, and endpoint detection alerts.

Safe download guidance

Users should download Tftpd64 only from official project sources or trusted package channels. The real Tftpd64 project maintains an official website and GitHub repository, while the malicious campaign relied on a lookalike repository.

Security teams should avoid using random GitHub repositories for administrative tools unless the repository clearly belongs to the original developer. This is especially important for utilities used on servers, network devices, lab systems, and privileged admin workstations.

Companies should also keep a small approved software list for IT tools. That makes it easier to detect when staff download a fake copy of a legitimate utility.

Recommended response steps

• Remove any Tftpd64 package downloaded from an unverified repository.
• Check %LOCALAPPDATA% for unusual staged directories and suspicious .dat, .ini, .cmd, .tmp, or JavaScript files.
• Review HKCU Windows Run registry keys for suspicious startup entries.
• Search endpoint logs for headless node.exe execution.
• Investigate PowerShell commands that run with hidden windows.
• Block or monitor unexpected Ethereum RPC traffic from workstations.
• Reimage affected systems if persistence or unauthorized access is confirmed.
• Rotate credentials used on compromised admin systems.

Why this campaign matters beyond crypto

The EtherRAT campaign shows that crypto-related threats now affect regular enterprise security. Even organizations that do not hold digital assets can face risk when malware uses blockchain infrastructure for communication, routing, or later-stage operations.

The bigger concern is trusted software impersonation. Attackers are targeting tools that administrators already know, then using fake repositories and installers to get past normal user caution.

For defenders, the lesson is simple. Verify the source before installing admin tools, monitor startup persistence, and treat silent Node.js activity on non-developer machines as suspicious.

FAQ