EtherRAT Campaign Leverages SEO Poisoning and GitHub to Target Enterprise Admins
Key Takeaways A sophisticated campaign named EtherRAT is actively targeting enterprise administrators, DevOps engineers, and security analysts. Threat actors are using SEO poisoning across major...
Key Takeaways
- A sophisticated campaign named EtherRAT is actively targeting enterprise administrators, DevOps engineers, and security analysts.
- Threat actors are using SEO poisoning across major search engines to direct high-privilege IT professionals to malicious GitHub repositories.
- The campaign distributes EtherRAT, a multi-stage, fileless Remote Access Trojan (RAT) that uses the Ethereum blockchain for resilient command-and-control (C2) infrastructure.
- The malware is disguised as common administrative tools, creating a high-risk scenario where defenders might inadvertently infect their systems while attempting to secure them.
EtherRAT Campaign Exploits SEO and GitHub to Compromise Enterprise Admins
A cunning and persistent malware campaign, dubbed EtherRAT, is specifically targeting IT professionals with elevated network and system privileges, including enterprise administrators, DevOps engineers, and security analysts. This operation leverages sophisticated search engine optimization (SEO) poisoning techniques to deliver its malicious payload, exploiting the routine search habits of these high-value targets.
Table Of Content
Unlike conventional large-scale phishing or spam attacks, the perpetrators behind EtherRAT have meticulously engineered a delivery mechanism designed to place dangerous software directly into the hands of IT staff. This occurs when they search for legitimate administrative tools online, making the attack highly precise and difficult to detect.
Sophisticated Delivery Chain
The campaign operates by manipulating search engine results across prominent platforms such as Bing, Yahoo, DuckDuckGo, and Yandex. When IT personnel search for widely used tools like PsExec, AzCopy, Sysmon, LAPS, or KustoExplorer, fake but professional-looking GitHub repositories are prominently displayed at the top of the search results.
These initial GitHub repositories are designed to appear benign, containing no overt malicious code. They function as a deceptive front, seamlessly redirecting unsuspecting users to a secondary, hidden GitHub account where the actual malware is hosted and distributed. Atos analysts first identified this advanced and resilient malicious campaign in March, confirming its ongoing activity and significant technical evolution, including multiple variants and additional command-and-control (C2) infrastructure.
EtherRAT: A Resilient Threat
At the core of this campaign is EtherRAT, a JavaScript-based, multi-stage, fileless Remote Access Trojan. Atos researchers have confirmed that EtherRAT employs the Ethereum blockchain to store its live C2 server address. This innovative approach significantly enhances the malware’s resilience, effectively circumventing traditional domain takedown or IP-blocking measures.
The malware is disseminated through malicious MSI installers, meticulously disguised as essential administrative tools. Since these tools are almost exclusively utilized by personnel with elevated system permissions, a successful infection on an administrator’s workstation could grant threat actors unfettered access to an entire enterprise environment.
The psychological aspect of this campaign is particularly insidious. Many of the tools being impersonated are precisely those that security professionals rely on for investigating and responding to malicious activities. This creates a dangerous paradox where a defender, attempting to diagnose a perceived security issue using a tool like Process Explorer or TCPView, unknowingly introduces the very threat they are trying to mitigate.
Dual-Stage GitHub Delivery Chain
The campaign employs a carefully segmented, two-stage delivery architecture engineered for sustained operation even when components are compromised. The initial GitHub repository acts as a clean facade, optimized for SEO and featuring a legitimate-looking README file devoid of malicious code. This builds initial trust with both users and automated security tools.
Within this README, a link is embedded that directs users to a second, clandestine GitHub account. This secondary repository is where the actual malicious MSI payload resides. By separating the SEO-visible storefront from the payload delivery mechanism, threat actors can rapidly switch out compromised distribution repositories while maintaining the primary, search-indexed facade untouched. Between early December 2024 and April 2026, the attackers deployed 17 distinct GitHub facades, each mimicking a different administrative or developer tool, underscoring their persistent efforts to maximize search engine visibility and ensnare a broad spectrum of high-privilege victims.
When a victim downloads and executes the malicious MSI installer, four files are extracted. Immediately after extraction, a heavily obfuscated Windows batch script is launched at SYSTEM privilege via an MSI Custom Action. The primary obfuscation technique involves splitting sensitive command names such as `curl`, `tar`, `copy`, `start`, and `cmd` across multiple `SET` variable assignments. These are silently concatenated at runtime, preventing recognizable keywords from appearing in the raw file and defeating basic string-based static analysis.
Stage 2 involves a minimal, unobfuscated Node.js script that is never written to disk. Its primary function is to read a file containing an encrypted second-stage payload, decrypt it using a hardcoded key and initialization vector (IV), and execute it in memory. This stage also establishes persistence through a registry Run key.
Stage 3 is the core of the malware: a JavaScript file that executes silently in the background with every system boot. It runs within `conhost.exe`, a legitimate Windows process, allowing it to blend in and avoid detection in Task Manager.
What You Should Do
- Block access to the public Ethereum (ETH) RPC endpoints utilized by EtherRAT. A comprehensive list is available in the Appendices section of the Atos TRC GitHub repository.
- Review historical network logs for any outbound communications with the identified RPC ETH endpoints and historical C2 domains.
- Educate IT personnel on the risks associated with sourcing critical utilities from search engine results. Mandate the use of verified internal software centers or direct, authenticated vendor portals for all administrative tools.
- Monitor telemetry for suspicious behavioral patterns, including repeated, high-frequency beacons (approximately every 500ms) to external domains, periodic outbound requests (every 5 minutes) to public ETH RPC endpoints, and unusual process trees involving `node.exe` processes executing shell commands.
- Treat any usage of `conhost.exe` with the headless argument as a potential indicator of the secondary stages of the EtherRAT payload.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.