A new Malware-as-a-Service (MaaS) offering has emerged on hacking forums, representing a significant shift in cybercrime by providing sophisticated tools for less technically skilled criminals.

Cybersecurity researchers have identified this MaaS botnet, which utilizes advanced evasion techniques and legitimate development frameworks to enhance its effectiveness.

A notable feature of this botnet is its use of Ethereum smart contracts to acquire command and control (C2) server addresses, making it resilient against takedown efforts due to the immutable nature of blockchain.

The malware is designed to access smart contracts to retrieve current C2 server addresses, allowing attackers to update server locations dynamically.

The botnet's source code operates on a Node.js runtime and incorporates a blockchain-based C2 system, which enhances its resilience and scalability.

The Node.js component allows the malware to fetch and execute remote payloads while disguising itself as legitimate software through techniques like file minification and obfuscation.

To distribute the malware, a malicious .msi installer is used, which deploys a DLL to gather system information and establish persistence via scheduled tasks.

The botnet employs advanced evasion strategies, including WebSocket communications, enabling it to blend seamlessly with normal network traffic.

In response to these evolving threats, security teams are advised to monitor for indicators such as Node.js installers and blockchain transaction patterns, and to adopt behavior-based detection systems.

This MaaS offering illustrates a dramatic escalation in the capabilities of cybercriminals, combining various advanced techniques into a single, purchasable product.