eSentire TRU detected EtherRAT in a retail customer environment in March 2026 and notes that Sysdig has linked the Node.js backdoor to a North Korean APT through overlaps with Contagious Interview TTPs. The observed intrusion used ClickFix to run pcalua.exe and mshta.exe, retrieve a malicious HTA from shepherdsestates[.]uk, and execute obfuscated Node.js stages that decrypted payloads with AES-256-CBC. The malware established persistence with a randomized HKCU Run value and launched EtherRAT through Node.js, enabling arbitrary command execution, host information gathering, and theft of assets such as cryptocurrency wallets and cloud credentials. EtherRAT retrieved C2 addresses from an Ethereum smart contract via public RPC providers, then blended beaconing into CDN-like HTTPS URLs, with a C2-delivered SYS_INFO module used for fingerprinting and target selection.