GlassWorm, EtherRAT & Rebex RAT: Blockchain-C2 and Multi-Stage Supply Chain Attacks

Excerpt

APTs using Solana/Ethereum smart contracts & Telegram API for resilient C2. Targeting developers & retail sectors via supply chain and trojanized docs. Urgency: High.

Threat Summary

The latest OTX pulses reveal a concerning convergence of advanced adversary tactics focusing on the abuse of decentralized infrastructure and non-standard C2 channels to evade detection. We are tracking three distinct but sophisticated campaigns:

GlassWorm: A supply-chain attack specifically targeting developers. By compromising code repositories, it delivers a payload that uses the Solana blockchain to fetch instructions and install fake browser extensions for surveillance.
Rebex-based Telegram RAT: A multi-stage malware campaign targeting Vietnamese entities via trojanized CHM (compiled HTML) files. It utilizes Python loaders and C++ DLLs, establishing persistence through shell hijacking and communicating via the Telegram API.
EtherRAT: Linked to a North Korean APT group, this Node.js backdoor targets the retail and business sectors. It employs "EtherHiding", storing C2 addresses within Ethereum smart contracts to prevent infrastructure takedowns, while using CDN-like beaconing to blend in with legitimate traffic.

Collectively, these campaigns demonstrate a shift toward "infrastructure-less" C2 (using blockchain) and trusted-application abuse (Telegram, Browser Extensions) to bypass traditional network defenses.

Threat Actor / Malware Profile

GlassWorm

Distribution Method: Supply chain compromise via code repositories and package managers.
Payload Behavior: Staged execution beginning with machine fingerprinting. Drops a fake browser extension for surveillance and a Remote Access Trojan (RAT). Exfiltrates cryptocurrency wallets and development credentials.
C2 Communication: Uses the Solana blockchain to retrieve payload URLs and instructions, making traffic analysis difficult.
Persistence: Browser extension installation and likely registryRun keys (implied by "surveillance" and standard RAT behavior).

Rebex-based Telegram RAT

Distribution Method: Spear-phishing with trojanized CV documents (CHM format).
Payload Behavior: CHM file executes a multi-stage payload involving Python interpreters and C++ DLLs protected by XOR encryption.
C2 Communication: Uses the Telegram API for C2 communications, bypassing firewall rules that typically allow Telegram.
Persistence: Shell hijacking (modifying registry keys to execute malicious code on shell open) and Scheduled Tasks.

EtherRAT (North Korean APT)

Distribution Method: Initial vector unspecified in pulse, but targets Retail/Finance; likely social engineering or drive-by.
Payload Behavior: Node.js based backdoor. Capable of arbitrary command execution, system info gathering, and asset theft.
C2 Communication: EtherHiding – C2 addresses are stored in Ethereum smart contracts. The malware queries the blockchain to find the active C2 server. Uses CDN-like beaconing to mimic web traffic.
Persistence: Scheduled tasks and Service installation (standard for Node.js malware).

IOC Analysis

Indicator Types

File Hashes (Rebex RAT): Multiple SHA256, MD5, and SHA1 hashes provided for the CHM and payload stages. These are high-fidelity indicators for file-based detection.
Domains (EtherRAT): Specific domains used for C2 or redirectors (e.g., o-parana.com, rpc.payload.de). These should be blocked immediately.
Network Protocols: WebSocket/HTTPS connections to Ethereum RPC nodes (standard ports 8545/8546) and Solana RPC endpoints (ports 8899/8900) from developer workstations are suspicious if not business-justified.

Operational Guidance

SOC teams should:

Blocklist IOCs: Immediately block the listed domains and file hashes on EDR and firewalls.
Traffic Analysis: Inspect outbound HTTPS traffic for connections to known public Ethereum/Solana RPC endpoints from non-developer machines or at unusual times.
CHM Vigilance: Alert on any hh.exe (HTML Help) process spawning child processes like python.exe or cmd.exe.

Detection Engineering

Sigma Rules

YAML

title: Suspicious Node.js Process Connecting to Ethereum RPC - EtherRAT
id: 5e0b2d8a-1a3b-4c5d-9e6f-1a2b3c4d5e6f
description: Detects Node.js processes establishing network connections to Ethereum RPC endpoints or known EtherRAT infrastructure domains, indicative of EtherHiding or EtherRAT activity.
references:
  - https://otx.alienvault.com/pulse/642712345678/
author: Security Arsenal
date: 2026/04/29
modified: 2026/04/29
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
    Initiated: 'true'
    DestinationPort:
      - 8545
      - 8546
  filter_legit_rpc:
    DestinationHostname|contains:
      - 'localhost'
      - '127.0.0.1'
  selection_domains:
    DestinationHostname|contains:
      - 'o-parana.com'
      - 'rpc.payload.de'
      - 'jariosos.com'
      - 'hayesmed.com'
      - 'regancontrols.com'
      - 'salinasrent.com'
      - 'justtalken.com'
      - 'mebeliotmasiv.com'
  condition: 1 of selection*
falsepositives:
  - Legitimate developer Web3 blockchain applications
level: high
---
title: Trojanized CHM File Spawning Python - Rebex Telegram RAT
id: f1e2d3c4-b5a6-4789-9012-3a4b5c6d7e8f
description: Detects HTML Help executable (hh.exe) spawning a Python interpreter, a common technique used in the Rebex-based Telegram RAT campaign to execute payloads embedded in CHM files.
references:
  - https://otx.alienvault.com/pulse/642798765432/
author: Security Arsenal
date: 2026/04/29
modified: 2026/04/29
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\hh.exe'
    Image|endswith:
      - '\python.exe'
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection
falsepositives:
  - Legitimate documentation requiring embedded scripts (rare)
level: high
---
title: Potential GlassWorm Browser Extension Tampering
id: a1b2c3d4-e5f6-47a8-9b0c-1d2e3f4a5b6c
description: Detects suspicious modifications to browser extension directories or registry keys, indicative of GlassWorm installing a fake surveillance extension.
references:
  - https://otx.alienvault.com/pulse/642712345678/
author: Security Arsenal
date: 2026/04/29
modified: 2026/04/29
tags:
  - attack.persistence
  - attack.t1176
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains:
      - '\Software\Google\Chrome\Extensions\'
      - '\Software\Microsoft\Edge\Extensions\'
      - '\Software\Mozilla\Firefox\Extensions\'
    Details|contains:
      - 'update_url'
      - 'background'
  filter:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate software installing browser extensions
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for EtherRAT network indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "o-parana.com", 
    "rpc.payload.de", 
    "jariosos.com", 
    "hayesmed.com", 
    "regancontrols.com", 
    "salinasrent.com", 
    "justtalken.com", 
    "mebeliotmasiv.com"
)
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, InitiatingProcessFileName, RemoteUrl
| order by Count desc
;
// Hunt for Rebex RAT File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c",
    "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2",
    "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt for GlassWorm, Rebex RAT, and EtherRAT
.DESCRIPTION
    Checks for the presence of specific file hashes (Rebex), 
    suspicious scheduled tasks (Rebex/EtherRAT persistence), and 
    network connections to blockchain RPCs (GlassWorm/EtherRAT).
#>

# Rebex RAT File Hashes
$RebexHashes = @(
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c",
    "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2",
    "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee"
)

# EtherRAT Domains
$EtherRatDomains = @(
    "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com", 
    "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)

Write-Host "[*] Scanning for Rebex RAT File Hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.Length -gt 0 } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($RebexHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $hash)" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[*] Checking DNS Cache for EtherRAT Domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $EtherRatDomains -contains $_.Entry } | 
    Select-Object Entry, Data, TimeToLive | 
    Format-Table -AutoSize

Write-Host "[*] Checking Scheduled Tasks for suspicious Shell hijacking or Node.js payloads..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*node*" -or 
    $_.Actions.Execute -like "*cmd*" -or 
    $_.Actions.Execute -like "*powershell*" 
} | Select-Object TaskName, TaskPath, State | Format-Table -AutoSize

Write-Host "[*] Checking for Browser Extension Modifications (Chrome/Edge)..." -ForegroundColor Cyan
$ExtPaths = @(
    "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions",
    "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
)
# Basic check for recent modifications
foreach ($Path in $ExtPaths) {
    if (Test-Path $Path) {
        Get-ChildItem $Path -Recurse -Directory | 
        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
        Select-Object FullName, LastWriteTime
    }
}

Response Priorities

Immediate

Block all listed EtherRAT domains and Rebex RAT file hashes at the perimeter and endpoint.
Scan developer workstations for unauthorized browser extensions.
Isolate any devices with confirmed hits for the Rebex RAT hashes.

24 Hours

Conduct credential resets for developers on systems potentially compromised by GlassWorm (supply chain).
Analyzes logs for hh.exe spawning processes to identify scope of the Rebex campaign.
Review network logs for connections to Ethereum/Solana public RPC endpoints from non-approved business units.

1 Week

Implement strict software signing policies for internal packages (mitigate GlassWorm supply chain).
Update application control policies to block CHM files delivered via email from the internet.
Review and restrict outbound access to public blockchain nodes to specific jump hosts or approved development environments only.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub