PhatomCandle tracked EtherRAT distribution through malicious MSI installers disguised as common IT administration tools, with TTP overlap to an APT group suspected of association with the DPRK. The lures targeted administrators and support personnel by spoofing utilities such as RDCMan, DelProf2, Disk2vhd, Autoruns, Procmon, Bitvise SSH Client, AzCopy, Kusto.Explorer, Autologon, and PsTools. The infection chain decrypts staged payloads using XOR or AES-CBC, installs a Node.js environment, writes a Node.js EtherRAT payload to registry AutoRun persistence, and then retrieves C2 information from Ethereum blockchain data. EtherRAT's EtherHiding approach stores active C2 server details in blockchain transactions or smart-contract storage and uses CDN-like beaconing to blend traffic and allow infrastructure rotation. Listed indicators include MD5 hashes and C2 domains such as publisherresolution[.]com, luminer[.]work, gateway001kir[.]com, solidactivate[.]com, 4apcnbr[.]microsoft[.]com, footballoff[.]com, and bermanlawrsk[.]com.