FHN 
A newly identified campaign called EtherRAT is targeting enterprise environments by combining SEO manipulation, GitHub abuse, and blockchain-based infrastructure. Instead of going after random users, attackers are focusing on IT professionals who already have elevated access.
This activity was uncovered by the Atos Threat Research Center in early 2026. The goal is clear—compromise high-privilege users and gain direct access to critical systems.
How the Attack Starts
The attack begins with SEO poisoning across search engines like Bing, Yahoo, DuckDuckGo, and Yandex.
Attackers push fake GitHub repositories to the top of search results for queries related to popular admin tools. These repositories look legitimate and contain detailed documentation, but they don’t host malware directly.
The infection flow works like this:
- Fake GitHub repo acts as a trusted storefront
- README links redirect users to another repository
- Second repo hosts a malicious MSI installer
- Payload is executed on the victim system
This two-step setup helps attackers stay active even if one repository is removed.
Targeting High-Privilege Users
The campaign specifically mimics well-known administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and WinDbg. These tools are typically used by administrators, DevOps teams, and security analysts.
This approach acts as a filtering mechanism:
- Only users searching for these tools are targeted
- Most victims already have elevated privileges
- A successful infection gives immediate high-level access
By abusing trust in commonly used tools, attackers increase the chances of execution without suspicion.
Malware Behavior and Execution
Once the malicious installer runs, a multi-stage RAT is deployed using JavaScript and fileless techniques.
The behavior includes:
- Obfuscated scripts install Node.js and trigger execution
- Payloads are decrypted in memory using AES-256
- Persistence is created through Windows Registry Run keys
- Malware runs under legitimate processes like conhost.exe
- Continuous communication with attacker infrastructure
The RAT allows attackers to execute commands, monitor systems, and extract sensitive data without obvious signs.
Blockchain-Based Command and Control
One of the most unique aspects of EtherRAT is its use of blockchain for command-and-control.
Instead of fixed servers, the malware retrieves its C2 address from the Ethereum network. This makes it extremely difficult to block or disrupt.
Key advantages for attackers:
- No fixed IP or domain to blacklist
- C2 can be updated instantly via blockchain transactions
Because public blockchain infrastructure is widely accessible, traditional takedown strategies become ineffective.
Ongoing Activity and Threat Impact
Researchers observed at least 40+ malicious GitHub repositories over several months, showing this is not a one-time campaign but an ongoing operation.
There are also similarities with techniques used by groups like Lazarus Group and MuddyWater, though attribution is still being analyzed.
Unlike typical large-scale malware campaigns, EtherRAT focuses on stealth and persistence. After initial access, attackers perform quiet reconnaissance instead of immediate disruptive actions.
Why This Matters
This campaign highlights a shift in cyber threats:
- Attackers target fewer users but with higher value
- Legitimate platforms like GitHub are used to build trust
- Decentralized technologies like blockchain increase resilience
Organizations should verify software sources, limit administrative privileges, and monitor unusual outbound traffic—especially connections to blockchain services.
EtherRAT shows how modern attackers are blending trusted platforms with advanced techniques to create highly targeted and durable threats.
About the Author
