EtherRAT, PRISMEX, and ValleyRAT: Multi-Front APT Campaign Analysis — Node.js Backdoors & Steganography Detection Pack | Security Arsenal

Threat Summary

Current intelligence from the AlienVault OTX platform indicates a surge in high-impact activity from three distinct, state-aligned threat actors targeting critical sectors globally.

North Korean APT (EtherRAT): Active against Retail and Finance sectors using a Node.js-based backdoor. This campaign is notable for its use of "EtherHiding," utilizing the Ethereum blockchain for resilient C2 infrastructure, making takedowns significantly more difficult.
Russian APT28 (Pawn Storm): Deploying the "PRISMEX" malware suite against Government and Defense entities in Ukraine and neighboring NATO countries. The group exploits recent CVEs (CVE-2026-21509, CVE-2026-21513) and employs advanced steganography to hide payloads within cloud services.
Void Arachne (Silver Fox): Intensifying spearphishing campaigns against Japanese manufacturing firms during tax season, delivering the ValleyRAT trojan via financial and HR lures.

Collectively, these pulses demonstrate a trend toward blockchain-abuse for resilience, steganography for evasion, and highly contextual social engineering based on regional administrative cycles.

Threat Actor / Malware Profile

1. EtherRAT (North Korean APT)

Distribution: Likely delivered via initial access brokers or supply chain compromise targeting software/retail supply chains.
Payload Behavior: Node.js-based backdoor allowing arbitrary command execution and extensive system fingerprinting (sys_info module).
C2 Communication: Unique "EtherHiding" technique. C2 addresses are stored in Ethereum smart contract transaction data. The malware queries the blockchain to find the next C2 server, creating a decentralized, resilient infrastructure. Uses CDN-like beaconing to blend in with legitimate traffic.
Persistence: Not explicitly detailed in the pulse, but Node.js backdoors often persist via scheduled tasks or registry run keys.

2. PRISMEX / Pawn Storm (APT28)

Distribution: Exploitation of CVE-2026-21509 and CVE-2026-21513, likely paired with spearphishing.
Payload Behavior: A modular suite consisting of PrismexDrop, PrismexLoader, PrismexStager, andMiniDoor/NotDoor. Uses COM hijacking for persistence.
C2 Communication: Abuses legitimate cloud service infrastructure (filen.io) for command and control.
Anti-Analysis: Employs steganography to hide malicious code or configs within image files hosted on cloud services.

3. ValleyRAT (Void Arachne / Silver Fox)

Distribution: Targeted spearphishing emails containing tax-related and organizational change lures specific to Japanese entities.
Payload Behavior: Remote Access Trojan (RAT) focused on credential theft and surveillance.
C2 Communication: Standard HTTP/HTTPS likely, though specific C2 domains were not the primary focus of the IOCs provided (hashes were prioritized).

IOC Analysis

The provided pulses contain a mix of network and file-based indicators that require immediate triage:

Domains & Hostnames: The EtherRAT and PRISMEX pulses provide specific FQDNs (e.g., o-parana.com, gateway.filen.io). The filen.io subdomains are particularly critical as they represent legitimate cloud infrastructure being abused for C2, making simple domain blocking potentially disruptive without careful filtering.
File Hashes: The Silver Fox pulse provides numerous MD5, SHA1, and SHA256 hashes for ValleyRAT droppers and loaders. These are high-fidelity indicators for EDR correlation.
Operationalization: SOC teams should import the filen.io indicators into network firewalls with a "detect and alert" stance first due to the risk of false positives on legitimate cloud storage usage. The EtherRAT domains should be blocked outright.
Decoding: The EtherRAT "EtherHiding" mechanism requires blockchain analysis tools to trace the smart contract transactions if incident responders need to identify the current live C2 infrastructure dynamically.

Detection Engineering

The following detection logic is designed to identify the specific behaviors and indicators detailed in the OTX pulses.

Sigma Rules

YAML

---
title: Potential PRISMEX C2 Traffic - APT28
id: 48f736ea-c2a0-4826-8c5b-b1a9d2f3e4a5
description: Detects network connections to known PRISMEX malware C2 infrastructure abusing Filen.io cloud services observed in OTX pulses.
status: experimental
date: 2026/04/29
author: Security Arsenal Research
references:
    - https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'filen.io'
            - 'filen-1.net'
            - 'filen-2.net'
    condition: selection
falsepositives:
    - Legitimate use of Filen.io cloud storage
level: high
---
title: Silver Fox ValleyRAT Malware File Detection
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects the presence of ValleyRAT file hashes associated with the Silver Fox campaign targeting Japanese firms.
status: experimental
date: 2026/04/29
author: Security Arsenal Research
references:
    - https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: file_event
product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.exe'
            - '.dll'
            - '.doc'
            - '.xls'
        Hashes|contains:
            - '244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db'
            - '8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72'
            - '55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba'
    condition: selection
falsepositives:
    - None
level: critical
---
title: Suspicious Node.js Process - EtherRAT Potential
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
description: Detects Node.js processes spawning command shells, a behavior indicative of the Node.js-based EtherRAT backdoor.
status: experimental
date: 2026/04/29
author: Security Arsenal Research
references:
    - https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate development tools
level: medium

KQL Hunt Queries

KQL — Microsoft Sentinel / Defender

// Hunt for PRISMEX and EtherRAT Network IOCs
// Focus on Filen.io (PRISMEX) and suspicious domains (EtherRAT)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "filen.io" 
   or RemoteUrl has "payload.de"
   or RemoteUrl has "o-parana.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend FullURL = RemoteUrl

// Hunt for Silver Fox (ValleyRAT) File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db", 
    "8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72",
    "55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba"
)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

# Silver Fox / ValleyRAT IOC Hunter
# Scans common user directories and temp folders for specific file hashes

$TargetHashes = @(
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db",
    "8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72",
    "55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba",
    "1af5b25acd2df31f44a54fc8dcd85287",
    "12a0d942652609bce7319be6bf0135bb",
    "21d9a30074d65babfef9e9e9684c6f5a",
    "4f481a449ad050fea9ca3900118e5676"
)

Write-Host "[+] Initiating Silver Fox (ValleyRAT) IOC Scan..." -ForegroundColor Cyan

# Define search paths (User profiles and temp)
$PathsToScan = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\Documents",
    "$env:PUBLIC\Documents",
    "$env:TEMP"
)

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path..." -ForegroundColor Yellow
        
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            try {
                $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($TargetHashes -contains $Hash) {
                    Write-Host "[!] MALICIOUS FILE DETECTED: $($File.FullName)" -ForegroundColor Red
                    Write-Host "    Hash: $Hash" -ForegroundColor DarkRed
                }
            } catch {
                # Ignore errors (e.g., locked files)
            }
        }
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Green

Response Priorities

Immediate: Block all listed domain IOCs (filen.io subdomains, payload.de, etc.) at the perimeter. Search endpoints for the ValleyRAT file hashes provided in the Silver Fox pulse.
24 Hours: Identity verification for users in targeted sectors (Manufacturing in Japan, Finance/Retail globally) is critical due to the info-stealing capabilities of both ValleyRAT and EtherRAT. Investigate any recent Node.js installations on non-dev machines.
1 Week: Patch CVE-2026-21509 and CVE-2026-21513 immediately to mitigate the PRISMEX attack vector. Review egress filtering policies to prevent unauthorized access to Ethereum RPC endpoints and cloud storage endpoints often abused for C2.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

EtherRAT, PRISMEX, and ValleyRAT: Multi-Front APT Campaign Analysis — Node.js Backdoors & Steganography Detection Pack