EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades

Summary

A sophisticated malware campaign, identified in March 2026, uses SEO poisoning and a dual-stage GitHub distribution architecture to deliver malicious MSI installers to enterprise administrators. The campaign leverages Ethereum-based smart contracts for decentralized command-and-control (C2) resolution, making traditional domain-based blocking ineffective.

Key Points

• Employs a two-stage GitHub delivery chain: a clean "facade" repository for SEO ranking and a secondary repository hosting the malicious MSI payload.
• Utilizes SEO poisoning across major search engines, including Bing, Yahoo, DuckDuckGo, and Yandex, to target niche IT administrative terms.
• Implements Blockchain-based Dead Drop Resolving (DDR) by querying a hardcoded Ethereum (ETH) smart contract address via public RPC endpoints to retrieve live C2 addresses.
• Targets high-privilege accounts by impersonating essential utilities such as Sysinternals (ProcDump, Sysmon), cloud tools (AzCopy), and credential management tools (Windows LAPS).
• Identified 44 separate GitHub facade repositories deployed between December 2025 and April 2026.

Technical Details

The distribution mechanism is designed for high resilience against platform-level takedowns. The initial "facade" repository contains no malicious code, consisting only of an SEO-optimized README file that directs users to a secondary, hidden GitHub repository. This separation allows threat actors to rotate the payload-hosting account while maintaining search engine rankings through the untouched facade. The malware payloads are distributed as MSI installers disguised as legitimate administrative tools, including Kusto Explorer, PsExec, and AzCopy, to facilitate automated victim profiling and lateral movement.

For command-and-control (C2) infrastructure, the malware utilizes decentralized architecture to evade IP and domain blocklisting. Instead of contacting a hardcoded C2 address, the malware initiates queries to a public Ethereum RPC endpoint. It retrieves the current C2 server address by reading data from a specific, hardcoded Ethereum smart contract. This allows the adversary to rotate C2 infrastructure globally by simply updating the value within the blockchain contract, ensuring the malware can always resolve its "home" as long as Ethereum gateways remain accessible.

Impact / Why It Matters

System administrators and DevOps engineers should verify the authenticity of administrative utilities, as search engine rankings are no longer a reliable indicator of software legitimacy. The use of blockchain-based C2 makes traditional network-level domain blocking ineffective against this specific threat.