Reverse Engineering an Ethereum-Powered Infostealer

Introduction — Malware Infrastructure Is Evolving

Traditional malware often stores command-and-control (C2) servers directly inside the binary. Once defenders identify the infrastructure, domains and servers can be blocked or seized.

Cybercriminals understand this weakness.

Over the years, malware authors have experimented with alternative ways to hide C2 infrastructure:

• Reddit posts
• Steam profiles
• Telegram bios
• Paste sites
• Social media platforms

But these methods still rely on centralized services that can be taken down.

In this investigation, we analyzed a multi-stage infostealer campaign that uses the Ethereum blockchain itself to store and retrieve C2 configuration data.

Instead of embedding infrastructure inside the malware, the threat actor stores the C2 information inside an Ethereum smart contract. The malware retrieves the contract data through public Ethereum RPC APIs, extracts the configuration, and dynamically resolves the active C2 server.

The result is a far more resilient infrastructure model that is difficult to disrupt.

Initial Infection Chain

The investigation began with a suspicious executable distributed through YouTube. The threat actor uploaded a video titled “Adobe Media Encoder 2026 Crack | How To Download and Install | Full Version,” attempting to lure users into downloading a malicious executable disguised as pirated software. Figure 1 shows the youtube video.

Figure 1: Reverse Engineering an Ethereum-Powered Infostealer - Youtube Video

The video describes how to install a cracked version of Adobe Media Encoder and provides instructions on where to download the file. The malicious download link was included in the video description, as shown in Figure 1.

The downloaded file has the following properties:

Filename: Installer_x64.rar

MD5: 47943a8963dd7744688d2f3393204654

SHA1: 221b91c22ca4d9c90fb119b72dc1cd76cd5017bf 

SHA256: e71dc48fba30ba00f9dae175e116ec58be2c2324cafedcdae7d3b0220342ae7b

The malware has the following properties:

Filename: setup.exe

MD5: 1071781b09cbc079fd33a7ae3a39f210

SHA1: f4f5de909d79b93f680410f1379326d09e13a83f

SHA256: 1e520cc48270df92a6c2f2821fde15c9bdb7f34674c4d62f4de5e63d2c7ce190

The sample initially appeared to be an IExpress setup package, a legitimate executable packaging utility built into Microsoft Windows. After extracting the contents using the following command:

setup.ie /T:c:\temp /C

the extracted files revealed that setup.exe launches an embedded AutoIt executable, which in turn executes an encrypted AutoIt script. The AutoIt script itself was heavily obfuscated and encrypted to conceal the malware’s functionality.

The AutoIt script is encrypted and it has the following properties:

Filename: Charge.a3x

MD5: 15d6988a5eec9d594e5762c6bd7a94bf 

SHA1: bf52c1b3dded59db715f260ef03e69d4ea03615e

SHA256: 032a5b8beac4f16c95b8e47001a56eec96899a6ecca8a289b906e5f464a315a2

AutoIt Loader and Shellcode Analysis

After extracting the AutoIt script, we identified shellcode execution behavior.

The malware:

1. Loads encrypted hexadecimal payload data
2. Uses RC4 to decrypt the payload
3. Calls RtlDecompressBuffer
4. Executes the unpacked memory region

This stage revealed the next payload:

• A Vidar loader

Why This Matters

This demonstrates a common modern malware strategy:

• Layered payloads
• Multi-stage decryption
• Memory-only execution
• Reusable loader logic

Each stage complicates analysis and detection.

Vidar Loader and Secondary Payload

The decrypted payload was identified as a Vidar-based loader.

During analysis:

• Vidar downloaded another executable
• The downloaded binary was also AutoIt-based
• The same decryption algorithm was reused

This indicates:

• Shared builder infrastructure
• Reusable malware components
• Consistent operational tooling

Eventually, the final payload was decrypted and unpacked.

The final malware was an infostealer.

Blockchain-Based Command-and-Control

The Most Interesting Discovery

Instead of hardcoding the C2 server inside the malware, the infostealer retrieves configuration data from Ethereum.

The malware:

1. Connects to public Ethereum RPC APIs
2. Queries a smart contract
3. Extracts encoded configuration data
4. Decodes the C2 address
5. Connects to the active infrastructure

Example RPC Providers Used

• ethereum-rpc.publicnode.com
• rpc.ankr.com

Why Blockchain C2 Is Dangerous

Traditional infrastructure can often be:

• Suspended
• Seized
• Sinkholed
• Blocked

Blockchain changes this model.

Key Advantages for Threat Actors

Decentralized Storage

Smart contract data cannot easily be removed.

Dynamic Infrastructure

Actors can update configuration without modifying the malware binary.

Public Infrastructure Blending

Requests to Ethereum RPC services appear legitimate.

Resilience

Even if domains are blocked, actors can rotate infrastructure through blockchain updates.

This creates a significant challenge for defenders.

InfoStealer Capabilities

After reversing the payload, we identified several core infostealer functions.

Technical Observations

Several notable characteristics stood out during analysis:

Defensive Recommendations

Organizations should consider:

• Monitoring unusual Ethereum RPC traffic
• Detecting AutoIt execution in enterprise environments
• Inspecting clipboard manipulation behavior
• Monitoring suspicious memory unpacking activity
• Identifying malware using decentralized infrastructure

Traditional IOC-based detection alone is becoming insufficient.

Behavioral analysis is increasingly important.

Summary

This campaign demonstrates how cybercriminal infrastructure is evolving beyond traditional hosting providers and centralized services.

Blockchain-based malware infrastructure introduces:

• Greater resiliency
• Dynamic reconfiguration
• Reduced takedown effectiveness
• Increased operational longevity

The future of malware infrastructure will likely continue moving toward decentralized services and legitimate platforms to blend malicious traffic with normal behavior.

The focus for defenders can no longer be limited to binaries alone.

Infrastructure behavior, execution patterns, and operational workflows are becoming just as important as malware signatures.

IOCs:

hxxps://graph[.]org/Installer-x64-01-22

hxxps://cutt[.]ly/AthF1WwA

MD5: 1071781b09cbc079fd33a7ae3a39f210

SHA1: f4f5de909d79b93f680410f1379326d09e13a83f

SHA256: 1e520cc48270df92a6c2f2821fde15c9bdb7f34674c4d62f4de5e63d2c7ce190