Cybersecurity

EtherRAT: Stealth Attacks Spoof Admin Tools via GitHub, Blockchain C2

By Sentinel News Editorial Team

April 30, 2026 Source: Thehackernews 3 views

A highly resilient EtherRAT campaign has emerged, leveraging sophisticated blockchain-based command-and-control and a dual-stage GitHub distribution architecture. This operation specifically targets high-privilege IT professionals by impersonating critical administrative tools to gain deep network access.

A dual-stage GitHub architecture uses SEO poisoning and hidden repositories for malware distribution, bypassing traditional detection.
Malware impersonates legitimate administrative tools (e.g., PsExec, Sysmon) to compromise high-privilege IT personnel with 'keys to the kingdom'.
Ethereum blockchain-based Dead Drop Resolving (DDR) provides a highly resilient, decentralized C2 mechanism, making takedowns ineffective.

Intelligence briefing: Why this matters: This campaign represents a significant evolution in attack resilience, rendering traditional C2 blocking ineffective and directly threatening critical enterprise and national security infrastructure by targeting privileged access.

Intro

A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO) poisoning, a dual-stage GitHub distribution architecture, and decentralized blockchain-based command-and-control (C2) resolving, Threat Actors have established a highly resilient delivery and persistence mechanism.

Creative Distribution via GitHub Facades

The campaign utilizes a multi-layered delivery chain designed to evade platform-level takedowns and maintain a high search engine ranking. The attack begins with SEO poisoning on various search engines, including Bing, Yahoo, DuckDuckGo, and Yandex. That ensures that malicious results for niche IT terms rank at the top of search results. Users are initially directed to a primary "facade" GitHub repository. These repositories are optimized for SEO but contain no malicious code - just a professional-looking README file.

To maintain operational flexibility, the README contains a link directing a victim to a second, hidden GitHub repository. It serves as the true distribution point for the malware. By separating the SEO-optimized "storefront" from the payload delivery account, the threat actors can rapidly rotate their distribution repositories if flagged, while the primary search-indexed facade remains active and untouched.

Strategic Tool Impersonation and Victim Profiling

The campaign is characterized by its focus on the administrative stack. By distributing malicious MSI installers disguised as tools like PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer, the adversary performs automated victim profiling. These utilities are almost exclusively used by personnel with elevated network and system permissions. A successful infection on an administrator’s workstation may provide the "keys to the kingdom, " which can facilitate lateral movement inside the enterprise environment.

Decentralized Command and Control via Ethereum

The most technically significant aspect of the campaign is its implementation of Blockchain-based Dead Drop Resolving (DDR). Once the malicious MSI is executed, the malware does not reach out to a hardcoded domain or IP address, which could be easily blocklisted. Instead, the malware repetitively initiates a query to a public Ethereum (ETH) RPC endpoint.

The malware is hardcoded with a specific Smart Contract address on the Ethereum blockchain. By querying this contract, malware dynamically retrieves the live C2 server address. This technique provides the adversary with extreme resilience:

Infrastructure agility: The attacker can rotate C2 servers globally simply by updating the value stored in the blockchain contract.

Robustness: As long as public Ethereum gateways are accessible, the malware can always find its "home," making traditional domain takedown or blockage efforts ineffective.

Research analysis

This research provides a comprehensive technical analysis of the current campaign, based on long-term observation and active detonation within a controlled environment. Our research moves beyond initial delivery vectors to examine the sophisticated infrastructure and post-exploitation behaviors.

The following data points represent the core operational mechanics of the campaign, including:

Malware Distribution: breakdown of the dual-stage GitHub repository architecture and the SEO-poisoning usage to manipulate search engine results.

Administrative Tools Impersonation: adetailed look at the specific administrative utilities being impersonated to ensure the compromise of high-privilege IT personnel.

Malware Logic: malware analysis of the malicious MSI payloads, including their initial staging and persistent components.

Decentralized C2 Infrastructure: investigation into the malware's use of Ethereum Smart Contracts and public RPC gateways to dynamically resolve live Command and Control (C2) addresses.

NOTE: During the finalization of the research, we identified a preliminary alert from KISA&KrCERT/CC regarding this threat actor’s campaign - LINK. While their initial report provided early visibility, our longitudinal investigation confirms the campaign remains highly active and has undergone significant technical maturation.

Our investigation further confirms that the malware is evolving, with several distinct variants and additional C2 infrastructure identified since the campaign's inception.

Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs.

Malware Distribution

Visualisation below demonstrates the dual-stage distribution chain, where SEO-optimized facade repository redirects unsuspecting users to a secondary GitHub account hosting the malicious MSI. This modular architecture allows the threat actors to preserve their search engine rankings even if the individual payload delivery accounts are taken down.

The intrusion lifecycle begins with a search query via Bing (also Yahoo, DuckDuckGo, Yandex) for specialized IT administrative utilities. Through aggressive SEO poisoning, the threat actors ensure that the facade GitHub repository appears prominently among the top search results. In this instance, a user seeking Kusto Explorer – acritical tool for engineers and analysts querying Azure Data Explorer via KQL – is led toward a non-malicious storefront designed to build initial trust.

Bing search for “kusto explorer”

Bing search for “kusto explorer download”

The first repository the user opens is a storefront that impersonates the targeted administrative tool. This facade repo is intentionally clean of malware, acting only as a gateway to the second, malicious stage of the delivery process. Thanks to such a design, it maintains a high search engine ranking.

First GitHub repo - used only as a facade

As we can see it's the one that survives quite long time

By embedding a link in the README of a clean facade repository, Threat Actors effectively separate their search visibility from their malware distribution. This second repository hosts the actual malware, while the first remains untainted. This strategy allows for rapid recovery after a takedown, as the adversary only needs to update a single URL to restore their infection chain. This separation is key to the campaign’s longevity, as the initial landing page appears benign to both users and security tools.

Link to second GitHub repo that serves malware to the user

Historical Commits in facade GitHub: we can see changes of links to second GitHub repo

The redirection leads the user to a second GitHub repository where the malicious software is hosted. This secondary site acts as the final stage in the distribution chain, providing the direct download for the malware impersonating administrative tools.

Second GitHub used to host malware

Malware downloaded by user

The threat actor has successfully hijacked the search results for larger set of Windows administrative stack, placing malicious storefronts at the very top of Bing. This dominant search presence effectively masks the threat, as the facade repositories appear as the primary, verified download locations for essential IT tools. Such high visibility on the front page is the critical factor that could help campaign’s broader reach into corporate environments.

“ProcDump” Bing SEO poisoning and Threat Actors GitHub repo

“LAPS” Bing SEO poisoning and Threat Actors GitHub repo

“BgInfo” Bing SEO poisoning and Threat Actors GitHub repo

DuckDuckGo SEO poisoning and Threat Actors GitHub repo

Yandex SEO poisoning and Threat Actors GitHub repo

Yahoo SEO poisoning and Threat Actors GitHub repo

Between early December 2025 and April 1, 2026, the threat actor deployed 44 separate GitHub f

Analysis

The strategic shift to decentralized blockchain C2 and multi-stage GitHub delivery fundamentally challenges conventional cybersecurity defenses and incident response paradigms. This innovation demonstrates adversaries' commitment to evading takedowns and maintaining persistent access, compelling defense professionals to rethink network monitoring and threat intelligence sharing strategies. Its ability to compromise administrative accounts with 'keys to the kingdom' poses a severe risk to national security environments where such tools are prevalent.

etherratblockchain c2github spoofingseo poisoningadmin toolscybersecurityresilient malware

Original reporting: https://thehackernews.com/2026/04/etherrat-distribution-spoofing.html