eSentire TRU reports detecting EtherRAT, a Node.js-based backdoor, in a retail environment in March 2026. It collects host data and steals cryptocurrency wallets and cloud credentials while using Ethereum smart contracts to fetch and rotate C2 addresses via EtherHiding. https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons