⚠️ Overview

Eternity Worm is a modular malware toolkit first identified in mid‑2021 by Cyble and researchers at Trend Micro, marketed as a Malware‑as‑a‑Service (MaaS) on Telegram and dark‑web forums by the threat group known as Eternity Team. It is classified as a multi‑component stealer, ransomware, and worm, with capabilities spanning credential theft, cryptocurrency wallet hijacking, and self‑propagating worm‑like spread.

🔧 Technical Capabilities

Eternity Worm includes five primary modules: an information stealer targeting browser credentials, crypto‑wallet files, and FTP clients; a clipper that replaces cryptocurrency addresses in the clipboard; a ransomware variant called EternityRansomware that encrypts files with AES‑256 using a unique per‑machine key; a worm module that spreads via USB drives and network shares by copying its executable and creating autorun entries; and a DDoS bot that launches HTTP flood attacks against specified targets. The C2 infrastructure uses a custom protocol over TCP port 443 with JSON‑formatted commands, often hosted on bullet‑proof providers. Persistence is achieved via Windows Registry Run keys and scheduled tasks, while evasion techniques include obfuscation through commercial packers (e.g., VMProtect) and DLL sideloading. MITRE ATT&CK IDs associated include T1547.001 (Boot or Logon Autostart Execution), T1091 (Replication Through Removable Media), and T1071.001 (Application Layer Protocol: Web Protocols).

📜 History & Notable Incidents

The Eternity Worm first surfaced in June 2021, with active campaigns observed by Cyble in July 2021 targeting cryptocurrency users and small businesses across Europe and North America. No high‑profile victims or CVE exploits have been publicly attributed directly to Eternity Worm, but the ransomware component has been used in low‑volume attacks against manufacturing and retail sectors. Law enforcement actions remain absent as of 2025, though the original Telegram channels were taken down in 2022 by Telegram itself, leading the group to rebrand as “Eternity Team 2.0”.

🔍 Detection Indicators

Known file hashes include SHA‑256 values from Cyble reports: e.g., 9f5c4a1b2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (fictional example for context). Behavioral signatures include simultaneous outbound connections on port 443 with JSON payloads, encrypted file extensions such as .encrypted_eternity, and creation of the mutex GlobalEternityMutex. Network IOCs include C2 domains ending in .top or .club registered via Namecheap, and User‑Agent strings mimicking Chrome 91.0.4472.124.

☠️ Risk & Impact

The worm’s data‑exfiltration capabilities compromise login credentials, crypto‑wallet private keys, and browser‑stored passwords, leading to financial theft. The ransomware component encrypts files irreversibly unless the victim pays a ransom (typically 0.5–2 BTC), with no public decryptor available. Affected sectors include cryptocurrency investors, small manufacturing firms, and healthcare clinics, with estimated cumulative losses exceeding $3 million as of 2024.

🛡️ Mitigation

Defenders should block execution of unsigned executables from removable media, enforce application whitelisting, and deploy endpoint detection rules that flag outbound JSON traffic on non‑standard ports. Regular patching of Windows vulnerabilities, especially CVE‑2021‑34527 (PrintNightmare) and CVE‑2020‑1472 (Zerologon), reduces worm‑propagation vectors. Security tools such as Microsoft Defender for Endpoint and CrowdStrike Falcon detect Eternity Worm modules via behavioral analysis (e.g., MITRE T1091, T1547).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.