Hackers Weaponize SEO and Fake GitHub Repos In EtherRAT Admin Assault

Atos TRC uncovered a March 2026 EtherRAT campaign that uses SEO poisoning, fake GitHub facades, and Ethereum-based C2 to target enterprise admins and other high-privilege IT users.

The operation is built for resilience: a clean-looking “storefront” repository lures victims first, then redirects them to a second repository that delivers the malicious MSI payload.

Weaponize SEO and Fake GitHub Repos

The attack starts with search poisoning across Bing, Yahoo, DuckDuckGo, and Yandex so that niche admin-tool queries push malicious GitHub results near the top.

The bait is highly targeted, because the fake downloads imitate tools such as PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer, ProcDump, and other utilities commonly used by administrators and security teams.

That focus matters because users who need these tools are more likely to have elevated access, which makes an infection much more valuable to the attacker.

Once the MSI is run, it drops a multi-stage payload that begins with an obfuscated .cmd file and then loads additional stages through Node.js.

Atos described the latest variant as a JavaScript-based RAT that uses layered AES-256-CBC encryption, in-memory execution, and a persistence mechanism through the Windows Run key.

The malware also downloads Node.js at runtime rather than bundling it, which keeps the installer smaller and helps it blend in with normal software activity.

Blockchain C2

The most unusual part of the campaign is the command-and-control design. Instead of connecting to a fixed domain, the malware queries public Ethereum RPC endpoints to retrieve a live server address from a smart contract. A

tos said the malware checks multiple RPC services in parallel and uses the majority result, which makes the lookup more reliable and harder to disrupt.

This approach gives the operators a flexible control plane. They can update the stored address with a blockchain transaction, and infected systems will pick up the new C2 location automatically during the next lookup cycle.

Atos said this removes the need for traditional DNS changes or server redeployment, which weakens common takedown methods.

The RAT then polls its server in a way that resembles ordinary web traffic, using random-looking paths and file extensions to disguise beaconing.

It can receive JavaScript commands, execute them directly inside the Node.js process, and carry out file-system access, OS commands, and data theft without dropping a classic executable.

Atos said the campaign remains active and has continued to mature technically since the first observations.

Cyber defenders should treat this as a targeted enterprise access operation, not a spray-and-pray commodity malware wave.

The combination of SEO poisoning, trusted-platform abuse, and blockchain-based resilience makes it especially difficult to disrupt with routine blocklists alone.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Weaponize SEO and Fake GitHub Repos In EtherRAT Admin Assault appeared first on Cyber Security News.