C2 in the Ether

This report examines a Remus infostealer variant that uses an Ethereum smart contract (DomainStorage) and EtherHiding dead-drop resolvers to store and rotate C2 domains. The author identifies an active contract (0x999941b74F6bbc921D5174A5b29911562cd2D7CF), a backup contract, operator and funding wallets, active and historical C2s (fightwa.biz:5902, chalx.live:5902, blablatst12345.net), the function selector (0xc2fb26a6), RPC endpoint (eth.llamarpc.com), and a DomainUpdated event topic for monitoring, and recommends watching Ethereum logs for that event to detect future rotations.