Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

SOC Prime Team

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report explains how established cybercrime infrastructure is increasingly converging with cryptocurrency drainer operations, giving rise to hybrid attack ecosystems that put both Web2 and Web3 assets at risk. Threat actors rely on polished phishing pages themed around AI tools or financial services to convince victims to connect their wallets, authorize token transactions, and unknowingly transfer funds across multiple blockchains. Two featured examples, StepDrainer and EtherRAT, demonstrate how this model spans both browser-based wallet draining and Windows malware with blockchain-aware functionality. As a result, the threat now extends well beyond cryptocurrency-native users and reaches deeper into mainstream enterprise environments.

Investigation

Researchers examined the StepDrainer malware-as-a-service operation, including its PHP and JavaScript staging infrastructure and its use of Web3Modal to display convincing wallet connection prompts. They also analyzed the EtherRAT Windows malware, which was delivered through a trojanized TFTP installer, maintained persistence through a Run registry key, and communicated with Ethereum and Solana RPC endpoints. During the investigation, the team extracted indicators such as malicious domains, registry keys, and command-line artifacts tied to both attack paths.

Mitigation

Organizations should block access to known malicious domains, require multi-factor authentication for wallet extensions wherever possible, and monitor systems for suspicious Run registry entries and unexpected Node.js processes. Security teams should also inspect traffic to public blockchain RPC services for anomalous behavior and regularly review browser extensions for signs of tampering or abuse.

Response

If this activity is detected, isolate the affected host immediately, remove the malicious Run registry entry, terminate unauthorized Node.js processes, and revoke all token approvals granted by the impacted wallets. Investigators should then perform forensic analysis to identify any additional payloads or persistence mechanisms and update allow-lists or blocklists to prevent further communication with the identified command-and-control infrastructure.

"graph TB %% Class Definitions classDef technique fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ffeb99 classDef operator fill:#ff9900 %% Nodes u2013 Techniques initial_access["Technique – T1204.001 User Execution: Malicious Link Description: Victims click a crafted link that launches malicious content."] class initial_access technique delivery_html_smuggling["Technique – T1027.006 Obfuscated Files or Information: HTML Smuggling Description: Malicious JavaScript is delivered via a web page that hides the payload in HTML."] class delivery_html_smuggling technique delivery_compile_after["Technique – T1027.004 Obfuscated Files or Information: Compile After Delivery Description: Payload is assembled on the host after the initial delivery."] class delivery_compile_after technique delivery_embedded_payloads["Technique – T1027.009 Obfuscated Files or Information: Embedded Payloads Description: Payload is hidden inside another file such as JavaScript."] class delivery_embedded_payloads technique delivery_deobfuscate["Technique – T1140 Deobfuscate/Decode Files or Information Description: Base64 data is decoded in the browser before execution."] class delivery_deobfuscate technique persistence_run_key["Technique – T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce Description: Installer creates a Runu2011key to launch a malicious node.exe."] class persistence_run_key technique persistence_appcert["Technique – T1546.009 Event Triggered Execution: AppCert DLLs Description: DLLs signed with a trusted certificate are loaded to achieve persistence."] class persistence_appcert technique recon_hardware["Technique – T1592.001 Gather Victim Host Information: Hardware Description: Malware queries hardware details of the compromised system."] class recon_hardware technique recon_firmware["Technique – T1592.003 Gather Victim Host Information: Firmware Description: Malware collects firmware version and BIOS information."] class recon_firmware technique c2_web_protocols["Technique – T1071.001 Application Layer Protocol: Web Protocols Description: Uses standard web traffic (HTTP/HTTPS) for command and control."] class c2_web_protocols technique c2_bidirectional["Technique – T1102.002 Web Service: Bidirectional Communication Description: Allows twou2011way messaging between implant and server."] class c2_bidirectional technique c2_oneway["Technique – T1102.003 Web Service: Oneu2011Way Communication Description: Sends data to server without expecting response."] class c2_oneway technique c2_encrypted["Technique – T1573 Encrypted Channel Description: C2 traffic is encrypted to evade detection."] class c2_encrypted technique c2_data_encoding["Technique – T1132 Data Encoding Description: Data is encoded (e.g., base64) before transmission."] class c2_data_encoding technique c2_config_repo["Technique – T1602 Data from Configuration Repository Description: Configuration data is retrieved from onu2011chain repositories."] class c2_config_repo technique asset_drain["Technique – T1204.002 User Execution: Token Approval Description: Victim approves token allowances via injected Web3Modal UI, enabling asset transfer."] class asset_drain technique %% Nodes u2013 Tools / Processes tool_malicious_link["Tool – Name: Malicious Phishing Link Description: Crafted URL that loads the fake trading portal."] class tool_malicious_link tool tool_js_payload["Tool – Name: Obfuscated JavaScript Payload Description: Base64u2011encoded code executed in the browser."] class tool_js_payload tool process_installer["Process – Name: Windows Installer Description: Drops Runu2011key and node.exe."] class process_installer process tool_node_exe["Tool – Name: node.exe Description: Executes the malicious JavaScript after persistence."] class tool_node_exe tool tool_web3modal["Tool – Name: Web3Modal UI Description: Injected UI that prompts user to approve token transfers."] class tool_web3modal tool %% Operators (optional) op_and(("AND")) class op_and operator %% Connections u2013 Attack Flow initial_access –>|leads_to| delivery_html_smuggling delivery_html_smuggling –>|uses| tool_malicious_link delivery_html_smuggling –>|uses| tool_js_payload delivery_html_smuggling –>|enables| delivery_compile_after delivery_compile_after –>|enables| delivery_embedded_payloads delivery_embedded_payloads –>|triggers| delivery_deobfuscate delivery_deobfuscate –>|creates| process_installer process_installer –>|drops| persistence_run_key process_installer –>|may_use| persistence_appcert persistence_run_key –>|executes| tool_node_exe persistence_app_cert –>|loads| tool_node_exe tool_node_exe –>|collects| recon_hardware tool_node_exe –>|collects| recon_firmware recon_hardware –>|feeds| c2_web_protocols recon_firmware –>|feeds| c2_web_protocols c2_web_protocols –>|supports| c2_bidirectional c2_web_protocols –>|supports| c2_oneway c2_bidirectional –>|uses| c2_encrypted c2_oneway –>|uses| c2_encrypted c2_encrypted –>|encodes| c2_data_encoding c2_data_encoding –>|stores_config_in| c2_config_repo c2_config_repo –>|provides| asset_drain asset_drain –>|uses| tool_web3modal "

Attack Flow

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands

The adversary has already placed a malicious JavaScript file (payload.js) on the target. To achieve persistence, they use the installed node.exe binary to start conhost.exe in headless mode, which then loads the JavaScript payload. This technique avoids visible console windows and blends into normal node usage.
1. Drop the malicious payload (payload.js) to a temporary location.
2. Execute node.exe with a command that spawns conhost.exe --headless pointing to the payload.
3. Create a scheduled task that runs the same command at system startup, providing persistence.

Regression Test Script

# EtherRAT Persistence Simulation – PowerShell
# -------------------------------------------------
# 1. Prepare malicious JavaScript payload
$payloadPath = "$env:TEMPpayload.js"
@"
// Minimal malicious JS – in reality this would load the EtherRAT implant
const { exec } = require('child_process');
exec('calc.exe'); // Example side‑effect
"@ | Set-Content -Encoding UTF8 $payloadPath

# 2. Locate node.exe (assume it is in PATH)
$node = (Get-Command node.exe).Source
if (-not $node) {
    Write-Error "node.exe not found in PATH."
    exit 1
}

# 3. Build the conhost command line
$conhostCmd = "C:WindowsSystem32conhost.exe --headless `"$payloadPath`""

# 4. Launch via node.exe (this creates the parent‑child relationship)
$script = "require('child_process').exec(`"$conhostCmd`")"
& $node -e $script

# 5. OPTIONAL: Create scheduled task for persistence
$taskName = "SystemUpdate"
$action = New-ScheduledTaskAction -Execute $node -Argument "-e `"$script`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -RunLevel Highest -Force

Cleanup Commands

# Remove scheduled task
Unregister-ScheduledTask -TaskName "SystemUpdate" -Confirm:$false

# Delete payload
Remove-Item -Path "$env:TEMPpayload.js" -Force

# Stop any lingering conhost processes spawned by the test
Get-Process conhost -ErrorAction SilentlyContinue | Where-Object {
    $_.Path -eq 'C:WindowsSystem32conhost.exe' -and $_.CommandLine -match '--headless'
} | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free