EtherRAT Targets Enterprise Admins via 44 GitHub Facades and Ethereum Blockchain C2

EtherRAT Targets Enterprise Admins via 44 GitHub Facades and Ethereum Blockchain C2

A high-resilience malware campaign discovered by Atos Threat Research Center in March 2026 has deployed 44 spoofed GitHub repositories to distribute EtherRAT, a multi-stage JavaScript Remote Access Trojan that routes command-and-control communication through Ethereum smart contracts. The campaign specifically targets enterprise administrators, DevOps engineers, and security analysts through SEO-poisoned search results serving fake downloads of trusted tools including PsExec, Sysmon, AzCopy, and LAPS. As of April 2026, the campaign remains active.

// 01 EtherRAT GitHub Facades: What We Know So Far

Between December 2025 and April 2026, the threat actors created 44 malicious GitHub repositories designed to closely mimic legitimate administrative tool download pages. Each facade uses aggressive SEO poisoning to rank highly on Bing, Yahoo, DuckDuckGo, and Yandex when administrators search for professional utilities. The repositories present clean README files to pass superficial review but link to secondary GitHub accounts hosting the actual malware payloads — a dual-stage architecture that enables rapid payload rotation while preserving search-engine rankings.

The infection chain operates in four stages:

Stage 0 (Dropper): A batch script executes at SYSTEM privilege via an MSI CustomAction, downloading a Node.js runtime and staging the infection environment.

Stage 1 (In-Memory Loader): A minimal Node.js script decrypts and executes Stage 2 entirely in memory using AES-256-CBC encryption, leaving minimal forensic artifacts on disk.

Stage 2 (Persistence): This stage decrypts Stage 3, writes it to disk, and establishes registry persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun using randomized six-character hex entry names.

Stage 3 (RAT): The main backdoor queries nine public Ethereum RPC endpoints in parallel to retrieve the current C2 address from the operator-controlled smart contract 0xc12c8d8f9706244eca0acf04e880f10ff4e52522, executes remote commands via Node.js AsyncFunction constructors, and re-runs the blockchain lookup every five minutes. The controlling wallet, 0x37ef6e88425613564b2cf8adc496acff4b6481a9, shows a transaction history of repeated state updates that rotate C2 addresses without redeploying the malware.

Process masquerading is achieved by launching Node.js as conhost.exe --headless, making the malicious process appear as a legitimate console host in Task Manager. Stage payloads use randomized file extensions (.bak, .cfg, .xml, .bin, .tmp, .dat, .log) stored in %LOCALAPPDATA%. After each execution cycle, the RAT receives a freshly obfuscated replacement copy of itself from the C2 and writes it back over its own path on disk, continuously rotating its on-disk signature.

An operator can rotate C2 infrastructure with a single Ethereum transaction costing fractions of a cent — substantially faster than the domain seizure, hosting provider notification, or DNS sinkhole processes defenders typically use to neutralize hardcoded C2 addresses.

Attribution is contested. Sysdig Threat Research links EtherRAT to North Korea’s Lazarus Group via significant tooling overlaps with the “Contagious Interview” npm campaign. eSentire’s Threat Response Unit separately identified extensive code commonalities between EtherRAT and the Tsundere botnet malware, which is attributed to Iranian state-sponsored group MuddyWater/APT34 and uses the same EtherHiding C2 resolution technique. Whether this reflects shared tooling between distinct actors, a common criminal vendor, or code reuse without operational connection remains unresolved.

// 02 Why EtherRAT GitHub Facades Matter

Neutralizing a traditional C2 infrastructure requires a DNS sinkhole, a hosting provider takedown, or law enforcement coordination. Each approach is viable but slow. Blocking an Ethereum smart contract requires consensus from a global permissionless blockchain — which is, in practice, not achievable in the operational timeframe of an active intrusion.

Targeting administrators amplifies the damage potential of each infection. Workstations belonging to administrators, DevOps engineers, and security analysts are often authenticated to Active Directory, cloud control planes, and remote management interfaces simultaneously. The specific tools impersonated — LAPS, RSAT, AzCopy, ScreenConnect, ProcDump, Sysmon — are exclusively used by people with the access to cause the most damage once compromised.

The self-obfuscating payload mechanism compounds the forensic challenge. If defenders detect and remove the on-disk artifact without also removing the Stage 2 persistence entry, the RAT reloads at next logon and immediately rotates its signature.

// 03 EtherRAT GitHub Facades: What You Should Do Now

1. Block outbound access to Ethereum RPC endpoints used by Stage 3’s C2 resolution. The malware queries nine services including mainnet.infura.io, eth-mainnet.g.alchemy.com, and cloudflare-eth.com. Blocking outbound HTTPS to these endpoints at the perimeter prevents the RAT from receiving operator commands even if the binary is present on disk.

2. Search proxy and DNS logs for the identified contract address. Any internal host querying or referencing 0xc12c8d8f9706244eca0acf04e880f10ff4e52522 in historical log data should be treated as a high-confidence compromise indicator and triaged immediately.

3. Hunt for Stage 2 persistence by scanning all HKCUSoftwareMicrosoftWindowsCurrentVersionRun keys across administrator workstations for six-character random hex entry names pointing to %LOCALAPPDATA% paths with randomized extensions.

4. Check for %APPDATA%svchost.log. The RAT writes its complete operational trace to this path — startup events, blockchain resolution results, received commands, and task output. Legitimate Windows components do not write to this path.

5. Mandate internal software repositories for all administrative tools. Enforce group policy restricting execution of unsigned or user-sourced MSI files. Tools like PsExec, Sysmon, and AzCopy should only be obtainable through authenticated internal channels — never via search engine results.

// 04 Detection and Verification Checklist

• Process behavior: Alert on conhost.exe --headless spawning node.exe, executing shell commands, or initiating outbound network connections. Legitimate console hosts do not exhibit this behavior.
• Network: Alert on node.exe or conhost.exe making outbound HTTPS requests to Ethereum RPC domains. This combination has no legitimate use case in a standard enterprise workstation environment.
• Registry: Monitor HKCU...CurrentVersionRun for new entries with six-byte hex names, particularly those pointing to %LOCALAPPDATA% with randomized file extensions.
• File system: Scan for %APPDATA%svchost.log across all workstations in the administrator and DevOps populations.
• EDR behavioral rules: Enable detection for AsyncFunction-constructor-based code execution within Node.js processes and for processes writing over their own executable path on disk.

Atos Threat Research Center has initiated formal takedown actions against identified distribution channels. Full indicators of compromise and additional technical analysis are available in the Atos CyberShield report.

Sources: The Hacker News, Atos Threat Research Center, eSentire TRU, Sysdig