{"id":769,"date":"2026-04-30T15:09:00","date_gmt":"2026-04-30T15:09:00","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=769"},"modified":"2026-04-30T15:09:00","modified_gmt":"2026-04-30T15:09:00","slug":"etherrat-distribution-spoofing-administrative-tools-via-github-facades","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=769","title":{"rendered":"EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi8d19xBfapc_ToA1XOK4xdQ815tfHldoYH0Cy7zsTwOoWlFNQDdubeXMv4Udo6DaFXWJK3lG4meqdmtLAuaCMfa7R1KM_EfiGE5cZItYx6NdnqjB-R_6neMFv5iIG6SjUDkRUUiZg_j7oOaueXGZb4M-K7EmJM3MCjSvgxfok9gTFNd9Qwdf-AKu_DsP4\/s1700-e365\/github-2.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<h2>Intro<\/h2>\n<p>A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating\u00a0<strong>Search Engine Order (SEO) poisoning<\/strong>, a\u00a0<strong>dual-stage GitHub distribution architecture<\/strong>, and\u00a0<strong>decentralized blockchain-based command-and-control (C2) resolving,<\/strong> Threat Actors have established a highly resilient delivery and persistence mechanism.<\/p>\n<h3>Creative Distribution via GitHub Facades<\/h3>\n<p>The campaign utilizes a multi-layered delivery chain designed to evade platform-level takedowns and maintain a high search engine ranking. The attack begins with\u00a0<strong>SEO poisoning<\/strong> on various search engines, including Bing, Yahoo, DuckDuckGo, and Yandex. That ensures that malicious results for niche IT terms rank at the top of search results. Users are initially directed to a\u00a0<strong>primary \u00abfacade\u00bb GitHub repository<\/strong>. These repositories are optimized for SEO but contain no malicious code &#8211; just a professional-looking README file.<\/p>\n<p>To maintain operational flexibility, the README contains a link directing a victim to a\u00a0<strong>second, hidden GitHub repository<\/strong>. It serves as the true distribution point for the malware. By separating the SEO-optimized \u00abstorefront\u00bb from the payload delivery account, the threat actors can rapidly rotate their distribution repositories if flagged, while the primary search-indexed facade remains active and untouched.<\/p>\n<h3>Strategic Tool Impersonation and Victim Profiling<\/h3>\n<p>The campaign is characterized by its focus on the\u00a0<strong>administrative stack<\/strong>. By distributing malicious MSI installers disguised as tools like <strong>PsExec<\/strong>, <strong>AzCopy<\/strong>, <strong>Sysmon<\/strong>, <strong>LAPS<\/strong>, and <strong>Kusto Explorer<\/strong>, the adversary performs automated victim profiling. These utilities are almost exclusively used by personnel with elevated network and system permissions. A successful infection on an administrator\u2019s workstation may provide the \u00abkeys to the kingdom, \u00bb which can facilitate lateral movement inside the enterprise environment.<\/p>\n<h3>Decentralized Command and Control via Ethereum<\/h3>\n<p>The most technically significant aspect of the campaign is its implementation of\u00a0<strong>Blockchain-based Dead Drop Resolving (DDR)<\/strong>. Once the malicious MSI is executed, the malware does not reach out to a hardcoded domain or IP address, which could be easily blocklisted. Instead, the malware repetitively initiates a query to a public\u00a0<strong>Ethereum (ETH) RPC endpoint<\/strong>.<\/p>\n<p>The malware is hardcoded with a specific <strong>Smart Contract address <\/strong>on the Ethereum blockchain. By querying this contract, malware dynamically retrieves the live C2 server address. This technique provides the adversary with extreme resilience:<\/p>\n<ul>\n<li><strong>Infrastructure agility:<\/strong> The attacker can rotate C2 servers globally simply by updating the value stored in the blockchain contract.<\/li>\n<li><strong>Robustness:<\/strong> As long as public Ethereum gateways are accessible, the malware can always find its \u00abhome,\u00bb making traditional domain takedown or blockage efforts ineffective.<\/li>\n<\/ul>\n<p><a name=\"more\"\/><\/p>\n<h2>Research analysis<\/h2>\n<p>This research provides a comprehensive technical analysis of the current campaign, based on long-term observation and active detonation within a controlled environment. Our research moves beyond initial delivery vectors to examine the sophisticated infrastructure and post-exploitation behaviors.<\/p>\n<p>The following data points represent the core operational mechanics of the campaign, including:<\/p>\n<ul>\n<li><strong>Malware Distribution:<\/strong> breakdown of the dual-stage GitHub repository architecture and the SEO-poisoning usage to manipulate search engine results.<\/li>\n<li><strong>Administrative Tools Impersonation:<\/strong> adetailed look at the specific administrative utilities being impersonated to ensure the compromise of high-privilege IT personnel.<\/li>\n<li><strong>Malware Logic:<\/strong> malware analysis of the malicious MSI payloads, including their initial staging and persistent components.<\/li>\n<li><strong>Decentralized C2 Infrastructure:<\/strong> investigation into the malware&#8217;s use of Ethereum Smart Contracts and public RPC gateways to dynamically resolve live Command and Control (C2) addresses.<\/li>\n<\/ul>\n<p><em>NOTE: During the finalization of the research, we identified a preliminary alert from KISA&amp;KrCERT\/CC regarding this threat actor\u2019s campaign &#8211; <a href=\"https:\/\/www.boho.or.kr\/kr\/bbs\/view.do?bbsId=B0000133&amp;pageIndex=1&amp;nttId=71998&amp;menuNo=205020\">LINK<\/a>. While their initial report provided early visibility, our longitudinal investigation confirms the campaign remains highly active and has undergone significant technical maturation.<\/em><\/p>\n<p><em>Our investigation further confirms that the malware is evolving, with several distinct variants and additional C2 infrastructure identified since the campaign&#8217;s inception.\u00a0<\/em><\/p>\n<blockquote><p><em>Find out the latest threat intelligence and adversary research insights on <a href=\"https:\/\/atos.net\/en\/lp\/cybershield\">Atos Cyber Shield Blogs.<\/a><\/em><\/p><\/blockquote>\n<p><em><a href=\"https:\/\/atos.net\/en\/lp\/cybershield\"\/><\/em><\/p>\n<h3>Malware Distribution<\/h3>\n<p>Visualisation below demonstrates the dual-stage distribution chain, where SEO-optimized facade repository redirects unsuspecting users to a secondary GitHub account hosting the malicious MSI. This modular architecture allows the threat actors to preserve their search engine rankings even if the individual payload delivery accounts are taken down.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEio-TH2qOlK5Ld069w-EoZuv9nBfYTm1ndoiCc-In7-PCtVPiesUrzxpCqRablttBoX6TLtOwb0E9wAiIZzugfFGsw1ADvzJlRPBr62vfXOOc114nu3qo7za52-qZ1HXDpLNT908imvSfzU0kaxz-xYX9Qmd-W1QF5_93uHTO1cgxBY0OuQLlRqxjG3NOjj\/s1700-e365\/seo.gif\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEio-TH2qOlK5Ld069w-EoZuv9nBfYTm1ndoiCc-In7-PCtVPiesUrzxpCqRablttBoX6TLtOwb0E9wAiIZzugfFGsw1ADvzJlRPBr62vfXOOc114nu3qo7za52-qZ1HXDpLNT908imvSfzU0kaxz-xYX9Qmd-W1QF5_93uHTO1cgxBY0OuQLlRqxjG3NOjj\/s1700-e365\/seo.gif\" alt=\"\" border=\"0\" data-original-height=\"473\" data-original-width=\"900\"\/><\/a><\/div>\n<p>The intrusion lifecycle begins with a search query via Bing (also Yahoo, DuckDuckGo, Yandex) for specialized IT administrative utilities. Through aggressive SEO poisoning, the threat actors ensure that the facade GitHub repository appears prominently among the top search results. In this instance, a user seeking\u00a0Kusto Explorer \u2013 acritical tool for engineers and analysts querying Azure Data Explorer via KQL \u2013 is led toward a non-malicious storefront designed to build initial trust.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiuwWoeYj6HGVlRndJPzhr2xh213C60nrNOkAizVyX0Gm2MTTNaA9nIVUKMpvaGd3mjdrTjMFr1LUOer45VkoCFNhkVaz9ZjjgrWAprabTaObqdFEJxpVfkoI07pnDErFuF8ul73hNcobnjCJ-dEDlkwh4Rc_QO9C7hYGtCQlPSNKDLqu1s3MF4ZilnDcM\/s1700-e365\/2.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiuwWoeYj6HGVlRndJPzhr2xh213C60nrNOkAizVyX0Gm2MTTNaA9nIVUKMpvaGd3mjdrTjMFr1LUOer45VkoCFNhkVaz9ZjjgrWAprabTaObqdFEJxpVfkoI07pnDErFuF8ul73hNcobnjCJ-dEDlkwh4Rc_QO9C7hYGtCQlPSNKDLqu1s3MF4ZilnDcM\/s1700-e365\/2.png\" alt=\"\" border=\"0\" data-original-height=\"863\" data-original-width=\"702\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Bing search for \u201ckusto explorer\u201d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiBda9Lifm2ZGCrWGSApSdvXSuoEtlXWZem17qAGiyCNXGeopyGspaSeUIT_A82qa1d5LKXjcKnxNPXk6VrhJMfdMMkupkTMEENnBbDINKyAtmqjZqTdD_QN8DbuTh4E-x2THtMkagsOg9Kkzh4qyAGmJTMfYHWpRYXzrxAO9jIFctku0OylFhdWRoq14Q\/s1700-e365\/3.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiBda9Lifm2ZGCrWGSApSdvXSuoEtlXWZem17qAGiyCNXGeopyGspaSeUIT_A82qa1d5LKXjcKnxNPXk6VrhJMfdMMkupkTMEENnBbDINKyAtmqjZqTdD_QN8DbuTh4E-x2THtMkagsOg9Kkzh4qyAGmJTMfYHWpRYXzrxAO9jIFctku0OylFhdWRoq14Q\/s1700-e365\/3.png\" alt=\"\" border=\"0\" data-original-height=\"477\" data-original-width=\"699\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Bing search for \u201ckusto explorer download\u201d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The first repository the user opens is a storefront that impersonates the targeted administrative tool. This facade repo is intentionally clean of malware, acting only as a gateway to the second, malicious stage of the delivery process. Thanks to such a design, it maintains a high search engine ranking.<br \/>First GitHub repo &#8211; used only as a facade<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhRkDFAJq4mXoDl-2ge0aK8CNPd2bQZWRaZM-h_fBMmqWJMOJFzEXqzWqCMPC7aU5tSU9WksIDLFGhEGHCZVo57Et-KBhVOGsFocfWHwKgEkoi25U5tCLhDHhrHPEJ4SUrJnO2SJiraH80zn6eqkU7bcbH_pCepyKWW0tR68y0NSNThWgo_qAQdurHi5kA\/s1700-e365\/4.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhRkDFAJq4mXoDl-2ge0aK8CNPd2bQZWRaZM-h_fBMmqWJMOJFzEXqzWqCMPC7aU5tSU9WksIDLFGhEGHCZVo57Et-KBhVOGsFocfWHwKgEkoi25U5tCLhDHhrHPEJ4SUrJnO2SJiraH80zn6eqkU7bcbH_pCepyKWW0tR68y0NSNThWgo_qAQdurHi5kA\/s1700-e365\/4.png\" alt=\"\" border=\"0\" data-original-height=\"839\" data-original-width=\"1572\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">First GitHub repo &#8211; used only as a facade<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh3LT7qK3JLqC4loHElrCAZeT4lloORUdM_jqwWgcuV9cs3U_WzjV68jc19PsvqC82UthIXnNaoZvQS8-gGG3QMBeb1xuibM7DO3S-sNAAmDF3VYmPXOnMibHZdcwVZzF78pUvssJ4WJLabCFGl92rL_nPMuHnhuBTQntD44g4ABx_-pdfC360I2laGlI4\/s1700-e365\/aa.png\" style=\"display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh3LT7qK3JLqC4loHElrCAZeT4lloORUdM_jqwWgcuV9cs3U_WzjV68jc19PsvqC82UthIXnNaoZvQS8-gGG3QMBeb1xuibM7DO3S-sNAAmDF3VYmPXOnMibHZdcwVZzF78pUvssJ4WJLabCFGl92rL_nPMuHnhuBTQntD44g4ABx_-pdfC360I2laGlI4\/s1700-e365\/aa.png\" alt=\"\" border=\"0\" data-original-height=\"210\" data-original-width=\"376\" style=\"display: block; height: auto; margin-left: auto; margin-right: auto; max-width: none; width: auto;\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">As we can see it&#8217;s the one that survives quite long time<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>By embedding a link in the README of a clean facade repository, Threat Actors effectively separate their search visibility from their malware distribution. This second repository hosts the actual malware, while the first remains untainted. This strategy allows for rapid recovery after a takedown, as the adversary only needs to update a single URL to restore their infection chain. This separation is key to the campaign\u2019s longevity, as the initial landing page appears benign to both users and security tools.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhCL1hUuDyZDk8B-5UmCJGlfneKpQO9XlkbOauAafSifB1SDR3-m4i29mErI9j3aS2OHy2EVADT-BCdipF_InJb3V79JLY7UK07WxHV3NQd4sMWufrVzSN2hPW2oF1XHyGYOnLT6bGb8L5Zm7DMeXIlZJkSvAAqAK3GYG6A0Tdb2jS85Doje_KqX7QR56o\/s1700-e365\/5.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhCL1hUuDyZDk8B-5UmCJGlfneKpQO9XlkbOauAafSifB1SDR3-m4i29mErI9j3aS2OHy2EVADT-BCdipF_InJb3V79JLY7UK07WxHV3NQd4sMWufrVzSN2hPW2oF1XHyGYOnLT6bGb8L5Zm7DMeXIlZJkSvAAqAK3GYG6A0Tdb2jS85Doje_KqX7QR56o\/s1700-e365\/5.png\" alt=\"\" border=\"0\" data-original-height=\"496\" data-original-width=\"933\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Link to second GitHub repo that serves malware to the user<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0v_XUMuWyvd5NNIpFukzTpDjnoKjbVM7e0_6yxm7BWAGJ58AEiKF-3tZUOM6-1YA-VbptHbf5SnvaPJ03QhXAiLqQ3OP8QwTVWrUf-JMAeXi2vEjkwbq9b0LXwxeQudbQHN4x7zvwItgzyekct4_8hx8-7FmnGDRDu6zl2rXhyphenhyphenbAbEtB5y61Qd7x75Gw\/s1700-e365\/6.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0v_XUMuWyvd5NNIpFukzTpDjnoKjbVM7e0_6yxm7BWAGJ58AEiKF-3tZUOM6-1YA-VbptHbf5SnvaPJ03QhXAiLqQ3OP8QwTVWrUf-JMAeXi2vEjkwbq9b0LXwxeQudbQHN4x7zvwItgzyekct4_8hx8-7FmnGDRDu6zl2rXhyphenhyphenbAbEtB5y61Qd7x75Gw\/s1700-e365\/6.png\" alt=\"\" border=\"0\" data-original-height=\"739\" data-original-width=\"1014\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Historical Commits in facade GitHub: we can see changes of links to second GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The redirection leads the user to a second GitHub repository where the malicious software is hosted. This secondary site acts as the final stage in the distribution chain, providing the direct download for the malware impersonating administrative tools.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWrUlIaHCEvWlwq8kUDcYP9OjiAyag94UijTACZft-pypCqja0I_LooZbeK5GqYnMvGoqA6nuxP9124pgbao6AMvcOyn7c4gCNHUyCImBtIEDZJnZtTKHE2acJnrgu0lx11p1etKZXWsMEcGegAu6kkF2pvd4OabOyNeo88Aeb7AHa3fm1Gf5Te5AvcvU\/s1700-e365\/7.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWrUlIaHCEvWlwq8kUDcYP9OjiAyag94UijTACZft-pypCqja0I_LooZbeK5GqYnMvGoqA6nuxP9124pgbao6AMvcOyn7c4gCNHUyCImBtIEDZJnZtTKHE2acJnrgu0lx11p1etKZXWsMEcGegAu6kkF2pvd4OabOyNeo88Aeb7AHa3fm1Gf5Te5AvcvU\/s1700-e365\/7.png\" alt=\"\" border=\"0\" data-original-height=\"418\" data-original-width=\"935\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Second GitHub used to host malware<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZtINcmRN5BJSKAhoYOk3IO0vRgpmdmL7V28-nXVWTq3VlAXVMvhAQnpGdQwqHFG0A5cUsWL62JKeHvfuegPiE-uSY2ah68jabED4GN7o8eY87U_tGefSx_0R6dKsUeT-1MxS58v4bGnXjCNYHDnDKnpT_lF6PDcDPVpLKsq7GI91vhmMasFzx9HcdHKA\/s1700-e365\/55.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZtINcmRN5BJSKAhoYOk3IO0vRgpmdmL7V28-nXVWTq3VlAXVMvhAQnpGdQwqHFG0A5cUsWL62JKeHvfuegPiE-uSY2ah68jabED4GN7o8eY87U_tGefSx_0R6dKsUeT-1MxS58v4bGnXjCNYHDnDKnpT_lF6PDcDPVpLKsq7GI91vhmMasFzx9HcdHKA\/s1700-e365\/55.png\" alt=\"\" border=\"0\" data-original-height=\"225\" data-original-width=\"1101\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Malware downloaded by user<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The threat actor has successfully hijacked the search results for larger set of Windows administrative stack, placing malicious storefronts at the very top of Bing. This dominant search presence effectively masks the threat, as the facade repositories appear as the primary, verified download locations for essential IT tools. Such high visibility on the front page is the critical factor that could help campaign\u2019s broader reach into corporate environments.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhbpxCCGsQ6I5VusGSUBYQmAzv951pcKNIflJn1pJKQ4UL9UvqewIcBqJL-NAyLv_itJpy7GhCOiXMacWxcWUVO-1eqscYRaELDZR2X8fScrAbmwTldxCSq6n4gUHRESSqxQqTg3kdZbDmjfzHmPSTANtuVVrug_9KL9A10XE47nC4u94hcgaAlfHfQYh8\/s1700-e365\/8.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhbpxCCGsQ6I5VusGSUBYQmAzv951pcKNIflJn1pJKQ4UL9UvqewIcBqJL-NAyLv_itJpy7GhCOiXMacWxcWUVO-1eqscYRaELDZR2X8fScrAbmwTldxCSq6n4gUHRESSqxQqTg3kdZbDmjfzHmPSTANtuVVrug_9KL9A10XE47nC4u94hcgaAlfHfQYh8\/s1700-e365\/8.png\" alt=\"\" border=\"0\" data-original-height=\"886\" data-original-width=\"1109\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">\u201cProcDump\u201d Bing SEO poisoning and Threat Actors GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjyc0Y4oOSFGsB1PqVsb3qCBOku_MX1cFnZEFK6TErRs6hyphenhyphen0Fa52x6mwb3mcsZ3oz2M4-vAHchFrrVl-4scZ0DVHlvV6SZQ_cbE_VEMJ-JMpQQnsX7pym1lwKFyRJZCTpsRO_d08XIfv576OTY4zXoEFgBNJD_GMx4qkFJoUcNAkPCedQRBw9RytRlOIi8\/s1700-e365\/9.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjyc0Y4oOSFGsB1PqVsb3qCBOku_MX1cFnZEFK6TErRs6hyphenhyphen0Fa52x6mwb3mcsZ3oz2M4-vAHchFrrVl-4scZ0DVHlvV6SZQ_cbE_VEMJ-JMpQQnsX7pym1lwKFyRJZCTpsRO_d08XIfv576OTY4zXoEFgBNJD_GMx4qkFJoUcNAkPCedQRBw9RytRlOIi8\/s1700-e365\/9.png\" alt=\"\" border=\"0\" data-original-height=\"712\" data-original-width=\"1097\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">\u201cLAPS\u201d Bing SEO poisoning and Threat Actors GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiYsa-SNSPZ2MwoX4v-6PfK_j4Nmc-7lFOfxKkMBJu8BJ5BJAI6du2DVa-3a7sjYO7Jf5RgMddv0_R89EkvAdm0I5oz3NdNqiPNgh7XJrJFC7TcBg4J3fYDS5xwR-WnuWXSqusrtvXwC2j6NYdpCTHsdMCC6atkSn8zHk7eMu-n28mSQG9swAVMOD5Z8T0\/s1700-e365\/10.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiYsa-SNSPZ2MwoX4v-6PfK_j4Nmc-7lFOfxKkMBJu8BJ5BJAI6du2DVa-3a7sjYO7Jf5RgMddv0_R89EkvAdm0I5oz3NdNqiPNgh7XJrJFC7TcBg4J3fYDS5xwR-WnuWXSqusrtvXwC2j6NYdpCTHsdMCC6atkSn8zHk7eMu-n28mSQG9swAVMOD5Z8T0\/s1700-e365\/10.png\" alt=\"\" border=\"0\" data-original-height=\"704\" data-original-width=\"1099\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">\u201cBgInfo\u201d Bing SEO poisoning and Threat Actors GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEixPrnmLQouMyJZ1vE1yI6I_t1b77tRPnpY11NM6EV-r1UNzdv4KPq8JpoNsPQ-aWvmo5eKw6cwOrvTL5xmqypckh_JWXIcLMdwaW-qXYCCIwxk_VQ82G_Sg9yYBKEtgJ0vley33_DAGdqnVYAogJNnnKkjEmHS2h81wgbGYhVu6pwdjkdtVLCrofgMjQk\/s1700-e365\/11.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEixPrnmLQouMyJZ1vE1yI6I_t1b77tRPnpY11NM6EV-r1UNzdv4KPq8JpoNsPQ-aWvmo5eKw6cwOrvTL5xmqypckh_JWXIcLMdwaW-qXYCCIwxk_VQ82G_Sg9yYBKEtgJ0vley33_DAGdqnVYAogJNnnKkjEmHS2h81wgbGYhVu6pwdjkdtVLCrofgMjQk\/s1700-e365\/11.png\" alt=\"\" border=\"0\" data-original-height=\"499\" data-original-width=\"829\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">DuckDuckGo SEO poisoning and Threat Actors GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_xT6muiapwOgAiIl8dRD8i-EBG5tR-xN8LCenqYaHXZuACdwTigzAalFtXaxYDnqUSldh_hRx48e0quJelPIZkJU56r9CvZFXaf-myQV2EPetSUrmh8UNnO6BH1KtDaNTrWxVk5_Y5ds7BI-8sUpowfySstvBQfGlDzIoTvGLUmkk-ilptoBldOPuop4\/s1700-e365\/12.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_xT6muiapwOgAiIl8dRD8i-EBG5tR-xN8LCenqYaHXZuACdwTigzAalFtXaxYDnqUSldh_hRx48e0quJelPIZkJU56r9CvZFXaf-myQV2EPetSUrmh8UNnO6BH1KtDaNTrWxVk5_Y5ds7BI-8sUpowfySstvBQfGlDzIoTvGLUmkk-ilptoBldOPuop4\/s1700-e365\/12.png\" alt=\"\" border=\"0\" data-original-height=\"601\" data-original-width=\"819\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Yandex SEO poisoning and Threat Actors GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEji5ttPnVbrHgTbQ22YDjFNnjK0xtKiFUgeIdeOJOcE5SX4nmrm16078K_smC1zOX-OSlbhlD9pZWwLoXqqhm37M_FnASQcQtZmMr0arZ8iKl3fgpR9nBY_lKljEjs5CD2dYZDDH3HV2AIA-srUmYk1DbD5i5eirP7ELsJEhQue_QG21dB7KvVb3IaCtP8\/s1700-e365\/13.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEji5ttPnVbrHgTbQ22YDjFNnjK0xtKiFUgeIdeOJOcE5SX4nmrm16078K_smC1zOX-OSlbhlD9pZWwLoXqqhm37M_FnASQcQtZmMr0arZ8iKl3fgpR9nBY_lKljEjs5CD2dYZDDH3HV2AIA-srUmYk1DbD5i5eirP7ELsJEhQue_QG21dB7KvVb3IaCtP8\/s1700-e365\/13.png\" alt=\"\" border=\"0\" data-original-height=\"424\" data-original-width=\"982\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Yahoo SEO poisoning and Threat Actors GitHub repo<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Between early December 2025 and April 1, 2026, the threat actor deployed 44 separate GitHub facades, each spoofing a different administrative or developer tool. This high-volume approach indicates a sustained effort to maximize search engine visibility and capture a diverse range of high-privilege victims.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEixcaB6luJdC7UefJLKE9Y3o2Vq_m7p1OTmvcrF2TuXGEeJDMxLXCxwK9xHY96-nPGzsDpRQrsqVUZPA-t9Mwd6J_Qi2KC-21utu4kzk6iSBDzf0yU60eNj0A-0ZaqQ5oFXsuzYrsUrYihCw6PoRBe9AUQB_SvXuZytfhQTpz7KO2ZzqB6_4uwHbfAk5qk\/s1700-e365\/14.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEixcaB6luJdC7UefJLKE9Y3o2Vq_m7p1OTmvcrF2TuXGEeJDMxLXCxwK9xHY96-nPGzsDpRQrsqVUZPA-t9Mwd6J_Qi2KC-21utu4kzk6iSBDzf0yU60eNj0A-0ZaqQ5oFXsuzYrsUrYihCw6PoRBe9AUQB_SvXuZytfhQTpz7KO2ZzqB6_4uwHbfAk5qk\/s1700-e365\/14.png\" alt=\"\" border=\"0\" data-original-height=\"437\" data-original-width=\"764\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Total 44 malicious GitHub repositories identified<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Administrative Tools Impersonation<\/h3>\n<table>\n<tbody>\n<tr style=\"background-color: #f2f2f2; border: 1px solid rgb(204, 204, 204);\">\n<td style=\"border: 1px solid rgb(204, 204, 204);\">Category<\/td>\n<td style=\"border: 1px solid rgb(204, 204, 204);\">Impersonated tools<\/td>\n<\/tr>\n<tr>\n<td>Sysinternals \/ Diagnostics<\/td>\n<td>Autoruns, ProcDump, RAMMap, TCPView, Process Monitor, Process Explorer, Disk2vhd, Sysmon, DebugView, WinDbg, BgInfo<\/td>\n<\/tr>\n<tr>\n<td>AD \/ Credential \/ Admin<\/td>\n<td>Windows ADK, Windows LAPS, RSAT, IIS Crypto, Profwiz, PCmover, Transwiz, Delprof2<\/td>\n<\/tr>\n<tr>\n<td>Remote Access<\/td>\n<td>Dameware, SecureCRT, SuperPuTTY, ScreenConnect Client, Bitvise SSH Client, TeraTerm<\/td>\n<\/tr>\n<tr>\n<td>Data Transfer \/ Cloud<\/td>\n<td>AzCopy, FSLogix, PCmover, Transwiz<\/td>\n<\/tr>\n<tr>\n<td>Security \/ Auth<\/td>\n<td>AppLocker, SafeNet Authentication Client, NSSM<\/td>\n<\/tr>\n<tr>\n<td>Network \/ Debugging<\/td>\n<td>PRTG Network Monitor, HTTP Debugger<\/td>\n<\/tr>\n<tr>\n<td>Utility \/ Business Apps<\/td>\n<td>KDiff3, Beyond Compare, BarTender, PaperPort<\/td>\n<\/tr>\n<tr>\n<td>Misc Sysadmin Tools<\/td>\n<td>Autologon, Kusto Explorer, LEAP Desktop, VMware Tools<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Identified Threat Actors campaign specifically targets the professional toolsets of enterprise administrators, systems engineers, and security practitioners. Unlike traditional malware campaigns that cast a wide net across general consumers, this <strong>activity is surgically focused on the \u00abcrown jewel\u00bb accounts of the enterprise<\/strong>. By leveraging Search Engine Optimization (SEO) poisoning, theadversary is distributing malicious MSI installers that mimic essential infrastructure management and diagnostic tools. The <strong>primary objective is the compromise of high-privilege credentials<\/strong> and the establishment of persistent backdoors within corporate environments, <strong>which can lead to large-scale breaches<\/strong>.<\/p>\n<p>The current threat landscape is defined by the strategic impersonation of utilities foundational to modern IT operations, such as PsExec, AzCopy, Sysmon, and LAPS. The rationale for selecting these specific targets is rooted in an advanced victim profiling model. Because a standard user very rarely interacts with a debugger like WinDbg or a deployment kit like Windows ADK, the adversary ensures that every successful infection lands on a machine belonging to a user with elevated system or network permissions.<\/p>\n<p>The psychological component of this campaign is also particularly aggressive. Many of these utilities are the tools defenders use to investigate malicious activity. This creates an \u00abirony lure\u00bb where a security professional, attempting to diagnose a perceived issue using a tool like Process Explorer or TCPView, inadvertently introduces a threat. By delivering these via legitimate-looking MSI packages, the attackers bypass the initial suspicion often associated with raw scripts or standalone executables.<\/p>\n<p>The consequences of an infection might be devastating. Given the administrative nature of the victims, this often transitions into a \u00abkeys to the kingdom\u00bb scenario.<\/p>\n<blockquote><p><em>Find out the latest threat intelligence and adversary research insights on <a href=\"https:\/\/atos.net\/en\/lp\/cybershield\">Atos Cyber Shield Blogs.<\/a><\/em><\/p><\/blockquote>\n<p><em><a href=\"https:\/\/atos.net\/en\/lp\/cybershield\"\/><\/em><\/p>\n<h3>Malware Logic<\/h3>\n<p>Atos TRC has analyzed a number of .msi installers from identified malicious repositories. Since the malware evolved over time this analysis focuses on its latest variant. All paths, file names, extensions, and keys shown are specific to one single sample as they are randomly generated for each.<\/p>\n<p>This malware is a multi-stage, fileless-style Remote Access Trojan (RAT) written in\u00a0 JavaScript, delivered as a malicious MSI installer impersonating various IT administration and enterprise sysadmin tools. It uses layered AES-256-CBC encryption to conceal its payload, a blockchain-based dead-drop resolver for resilient C2 communication, and an AsyncFunction constructor engine for arbitrary remote code execution. Node.js is downloaded at runtime from nodejs.org rather than bundled, keeping the package small (~4.7 MB) at the cost of requiring internet access during infection. Ultimately, Atos Researchers identified it to be an <a href=\"https:\/\/www.esentire.com\/blog\/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons\">EtherRat<\/a> malware, a recently emerging threat using Ethereum to store C2 URL addresses, preventing takedown of the infrastructure.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZPIYihSFYLQOyj5Z7dVXoMB4MbXVCIwDq787qWPZUtVtVFMB7a7h4SUfVlr0_ar4R_kAx3Pf3k3QS42EOSP3ZluP3QruU8nD_t_aaO4ZfdjT_fPmFowzviLMaEdmZxGD9-ej0mkULLwTIKVwU0-8ZUEQZSAZ5yver1bb1DNBadcCTxQ6hWWEfTIB8kDE\/s1700-e365\/15.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZPIYihSFYLQOyj5Z7dVXoMB4MbXVCIwDq787qWPZUtVtVFMB7a7h4SUfVlr0_ar4R_kAx3Pf3k3QS42EOSP3ZluP3QruU8nD_t_aaO4ZfdjT_fPmFowzviLMaEdmZxGD9-ej0mkULLwTIKVwU0-8ZUEQZSAZ5yver1bb1DNBadcCTxQ6hWWEfTIB8kDE\/s1700-e365\/15.png\" alt=\"\" border=\"0\" data-original-height=\"1635\" data-original-width=\"802\"\/><\/a><\/div>\n<p>Latest versions of installers consist of four files. When the MSI is executed, these files are extracted, and a CMD batch script is run via a Custom Action, initiating the chain that leads to RAT deployment:<\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEitWqGSmCa645GN75weIIJSpQWmhU0JopGqcfirFhgi75MTXafHkE5xWoJJ_YAJbRXIpMCbbk1u6D4G8Pu1HVF2tx_CStQQ2_Pg44abuGVskpTiK_JYS5ypr_Oy8ESCN2voB00Xs4Oshm2s_7MVWDNQWinYc7eHj0K0nFzY4wsHfnaBihCbf_sGudy1Y2M\/s1700-e365\/16.png\" style=\"display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEitWqGSmCa645GN75weIIJSpQWmhU0JopGqcfirFhgi75MTXafHkE5xWoJJ_YAJbRXIpMCbbk1u6D4G8Pu1HVF2tx_CStQQ2_Pg44abuGVskpTiK_JYS5ypr_Oy8ESCN2voB00Xs4Oshm2s_7MVWDNQWinYc7eHj0K0nFzY4wsHfnaBihCbf_sGudy1Y2M\/s1700-e365\/16.png\" alt=\"\" border=\"0\" data-original-height=\"137\" data-original-width=\"617\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">MSI content screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>It is important to note that file extensions differed among the analyzed samples, but \u201c.cmd\u201d was always the initiating file. The table contains a few examples:<\/p>\n<table border=\"1\" style=\"border-collapse: collapse;\">\n<tbody>\n<tr>\n<td rowspan=\"2\">Stage #<\/td>\n<td colspan=\"4\">Extensions<\/td>\n<\/tr>\n<tr>\n<td>Sample #1<\/td>\n<td>Sample #2<\/td>\n<td>Sample #3<\/td>\n<td>Sample #4<\/td>\n<\/tr>\n<tr>\n<td>0 &#8211; Dropper<\/td>\n<td>.cmd<\/td>\n<td>.cmd<\/td>\n<td>.cmd<\/td>\n<td>.cmd<\/td>\n<\/tr>\n<tr>\n<td>1 \u2013 In-memory loader<\/td>\n<td>.bak<\/td>\n<td>.cfg<\/td>\n<td>.xml<\/td>\n<td>.tmp<\/td>\n<\/tr>\n<tr>\n<td>2 \u2013 Loader\/Persistence<\/td>\n<td>.xml<\/td>\n<td>.bak<\/td>\n<td>.bak<\/td>\n<td>.dat<\/td>\n<\/tr>\n<tr>\n<td>3 &#8211; RAT<\/td>\n<td>.cfg<\/td>\n<td>.bin<\/td>\n<td>.xml<\/td>\n<td>.log<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>File names, decryption keys, secrets, directory names, and extensions presented below are extracted from the latest installer version.<\/p>\n<h4><em>STAGE 0 &#8211; DROPPER<\/em><\/h4>\n<p>File: VW80IqXy.cmd (2,377 bytes)<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgj8waI8NIO25kKiMc6s9zNmnHt0PfM_BYteZPVXqNnjeo1H28wUlDtEPrbC_N6Noska4XWIKIulcfnsRV9I3QSyaMFc2VlBVM7ZTB5ERiVIdbPyFTLKPem_QGERWx7THLgPYct9w6CxTLfmT2yFYrrkkRNozhaKtdTByDOdwCX0vZ54rvKVf7PiUhNvY4\/s1700-e365\/17.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgj8waI8NIO25kKiMc6s9zNmnHt0PfM_BYteZPVXqNnjeo1H28wUlDtEPrbC_N6Noska4XWIKIulcfnsRV9I3QSyaMFc2VlBVM7ZTB5ERiVIdbPyFTLKPem_QGERWx7THLgPYct9w6CxTLfmT2yFYrrkkRNozhaKtdTByDOdwCX0vZ54rvKVf7PiUhNvY4\/s1700-e365\/17.png\" alt=\"\" border=\"0\" data-original-height=\"751\" data-original-width=\"849\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 0 code screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The malware&#8217;s entry point is a heavily obfuscated Windows batch script (VW80IqXy.cmd), launched at SYSTEM privilege by the MSI CustomAction immediately after file extraction. Its primary obfuscation mechanism splits all sensitive command names &#8211; including curl, tar, copy, start, and cmd &#8211; across multiple SET variable assignments that are silently concatenated at runtime, ensuring no recognizable keywords appear in the raw file and defeating simple string-based static analysis. To ensure execution in a hidden window regardless of how the MSI launched it, the script immediately re-launches itself as a minimized background process and exits, with the re-launched copy performing all actual work. That copy proceeds to create a build-specific staging directory under %LOCALAPPDATA%\\, download the Node.js runtime from its official distribution endpoint to a temporary archive via curl, extract it into a build-specific runtime subdirectory within the staging directory, and delete the zip archive to minimize forensic artifacts on disk. With the environment prepared, the script hands off execution to Stage 1 by invoking the bundled node.exe against the first-stage payload file and terminates, carrying no persistence mechanism of its own and playing no further role in the infection chain.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: right;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEibadIm3Xy5RzaXPS08dbA_CjjS95mtHEmvg1wFvIpPwZ06L8uDFoqOafkwdTaSsH0-lKNRMpovhDNPgN2sMQYuSyBFhhBq8F3bSSr0Aw2n2o_uVmZTQxRnTNKFqb7xdkx9yU98MJ8jnDiHPXMsfO6WZOsG5_G2b9EMc-jxGh-CEXnPjiDbhHpDJ9Y04Rk\/s1700-e365\/11.jpg\" style=\"clear: right; display: block; margin-bottom: 1em; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEibadIm3Xy5RzaXPS08dbA_CjjS95mtHEmvg1wFvIpPwZ06L8uDFoqOafkwdTaSsH0-lKNRMpovhDNPgN2sMQYuSyBFhhBq8F3bSSr0Aw2n2o_uVmZTQxRnTNKFqb7xdkx9yU98MJ8jnDiHPXMsfO6WZOsG5_G2b9EMc-jxGh-CEXnPjiDbhHpDJ9Y04Rk\/s1700-e365\/11.jpg\" alt=\"\" border=\"0\" data-original-height=\"631\" data-original-width=\"336\" style=\"display: block; height: auto; margin-left: auto; margin-right: auto; max-width: none; width: auto;\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 0 simplified graph (<a href=\"https:\/\/github.com\/Atos-TRC\/EtherRAT-appendixes?tab=readme-ov-file#stage-0--msi-customaction--initialization\" target=\"_blank\">link<\/a> to detailed)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><em>STAGE 1 \u2013 In-memory loader<\/em><\/h4>\n<p>File: ZOVTSc3WW9wotbj.bak (472 bytes)<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhf4ifLsqV_OYNYWBWhc3XSCLWE2U92JTSKBNE6MWmD09dtGLt9hag1OEDVqSuX7cd2DP9l8U1GhKuM3NSTd_O7Krgf17VhqlhqSbBx_9JID-Pk3KdvBKWZWJy1oMz0kyjSoSkwbnVy0ggq-ALHBsoPvPm0L3Vg4PQoTAOod_GJsScf6lxaCDRJcpZLFD8\/s1700-e365\/19.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhf4ifLsqV_OYNYWBWhc3XSCLWE2U92JTSKBNE6MWmD09dtGLt9hag1OEDVqSuX7cd2DP9l8U1GhKuM3NSTd_O7Krgf17VhqlhqSbBx_9JID-Pk3KdvBKWZWJy1oMz0kyjSoSkwbnVy0ggq-ALHBsoPvPm0L3Vg4PQoTAOod_GJsScf6lxaCDRJcpZLFD8\/s1700-e365\/19.png\" alt=\"\" border=\"0\" data-original-height=\"174\" data-original-width=\"890\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 1 code screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>A minimal Node.js script. Unobfuscated and fully readable. It is never saved onto the disk. Its main goal is to read the file containing the second-stage payload (in this example, \u201ctQqoxkAJFhqWtg5.xml\u201d), decrypt it using a hardcoded key and initialization vector (IV), and execute it in memory via \u201cmodule._compile()\u201d<\/p>\n<p>AES-256-CBC credentials from example:<\/p>\n<ul style=\"text-align: left;\">\n<li>Key : F4J\/454U+W0+8y7L+L9MxSY15rB0KoSeQkPauifCTiQ=<\/li>\n<li>IV\u00a0 : RXvUsgFBwDx9HuOhpkoiqQ==<\/li>\n<\/ul>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1RpieyU5nf780d6ZN1xVZ2SYl9kmOl7jEIl1vvZqNKbEkL90LBjOH0vNp7u3Hdg63yLIYn9hfDSkTrn5Z6NpXx5ssmRHqbsC2_Xph7NcwC65B5d6oA42l2aC8W1T76sx6vZeOfQ38tImZqyFjCWgLE7ytdkPk68D_VeQSFxMQM4vvvA1RnsVQ3wDUokk\/s1700-e365\/22.jpg\" style=\"display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1RpieyU5nf780d6ZN1xVZ2SYl9kmOl7jEIl1vvZqNKbEkL90LBjOH0vNp7u3Hdg63yLIYn9hfDSkTrn5Z6NpXx5ssmRHqbsC2_Xph7NcwC65B5d6oA42l2aC8W1T76sx6vZeOfQ38tImZqyFjCWgLE7ytdkPk68D_VeQSFxMQM4vvvA1RnsVQ3wDUokk\/s1700-e365\/22.jpg\" alt=\"\" border=\"0\" data-original-height=\"212\" data-original-width=\"335\" style=\"display: block; height: auto; margin-left: auto; margin-right: auto; max-width: none; width: auto;\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Simplified Stage 1 graph (<a href=\"https:\/\/github.com\/Atos-TRC\/EtherRAT-appendixes?tab=readme-ov-file#stage-1--decryption--in-memory-execution\" rel=\"nofollow\" target=\"_blank\">link<\/a> to detailed)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><em>STAGE 2 \u2013 Loader\/Persistence<\/em><\/h4>\n<p>File: tQqoxkAJFhqWtg5.xml (2,096 bytes encrypted)<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlxe4RHdRRDbsl8ZCAOl3tjuGZ2dQ8cHtYSo7f4f7SjjpdG0ycYZeH6RYUxl0CSIvaIX0rb0ayQMAxVZN0gXkX5-sIIKY-xP4RATIIiO5yQgflCSG36GrTaGfghFrtWjxzB5GkHOFinQMJp5Y5lmRnITdrHOhpKRjuMUKc0BSNWOqfOFreqpgtEpTYpmQ\/s1700-e365\/21.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlxe4RHdRRDbsl8ZCAOl3tjuGZ2dQ8cHtYSo7f4f7SjjpdG0ycYZeH6RYUxl0CSIvaIX0rb0ayQMAxVZN0gXkX5-sIIKY-xP4RATIIiO5yQgflCSG36GrTaGfghFrtWjxzB5GkHOFinQMJp5Y5lmRnITdrHOhpKRjuMUKc0BSNWOqfOFreqpgtEpTYpmQ\/s1700-e365\/21.png\" alt=\"\" border=\"0\" data-original-height=\"561\" data-original-width=\"1266\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 2 code screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiBtRRKNqMvyEu_4cxBFUE5vsEG17s8mkamP22E354PC66BZEKrbebVDdZM9LMnEIc4pczp9QlaQpIU8n80xy06N-464bBojyOTtqcSY0JQ8Ka68Lks4bh0UEKiXf67gy-0l043jIfvoxYdCxE4gMHPdz9sXN3CAzJFqr8gddtg6soipLFNjtUYEONQHy4\/s1700-e365\/22.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiBtRRKNqMvyEu_4cxBFUE5vsEG17s8mkamP22E354PC66BZEKrbebVDdZM9LMnEIc4pczp9QlaQpIU8n80xy06N-464bBojyOTtqcSY0JQ8Ka68Lks4bh0UEKiXf67gy-0l043jIfvoxYdCxE4gMHPdz9sXN3CAzJFqr8gddtg6soipLFNjtUYEONQHy4\/s1700-e365\/22.png\" alt=\"\" border=\"0\" data-original-height=\"354\" data-original-width=\"1266\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 2 decrypted code screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Decrypted and executed in-memory by Stage 1. It is an intermediary stage that decrypts the content of obfuscated stage 3 payload (0cZeeDPZMsxWtaK.cfg), writes this content into a new file (4S3HKjraAP.cfg) and then executes it via node.exe wrapped by \u201cconhost.exe \u2013headless\u201d, which disguises the process in Task Manager as a standard console host. Additionally, it creates persistence via the registry Run key.<\/p>\n<p>AES-256-CBC credentials from example:<\/p>\n<ul style=\"text-align: left;\">\n<li>Key : m+wOc81aCEKfGEOpZsEr8WAN4O8mJnEoalp3LwZau0A=<\/li>\n<li>IV\u00a0 : cOoXZ1ImLZ\/V90MLhCpVJw==<\/li>\n<\/ul>\n<p>Registry persistence from example:<\/p>\n<ul style=\"text-align: left;\">\n<li>Key\u00a0 : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/li>\n<li>Name : &lt;6-byte random hex, regenerated on every fresh install&gt;<\/li>\n<li>Data : conhost.exe &#8211;headless 1FgUre\\node.exe 4S3HKjraAP.cfg<\/li>\n<\/ul>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRVgTTnW-uvnj7gm5jCrHolrc_Ht8tU4ha-12_bfqSYfHGePKDIu0-NQG4X-GicvJiNwoUWW9q4tVUY1VbqLVL__DkmlxI36zLvRqACkPOoNU8qAXPhkHThJcTgWmf742nrJ2o-BPHb8L_bNtGi0F0yf-M_hqLX_3pzhkDXMJab-zlw1NGZeU2dUsD4K0\/s1700-e365\/33.jpg\" style=\"display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRVgTTnW-uvnj7gm5jCrHolrc_Ht8tU4ha-12_bfqSYfHGePKDIu0-NQG4X-GicvJiNwoUWW9q4tVUY1VbqLVL__DkmlxI36zLvRqACkPOoNU8qAXPhkHThJcTgWmf742nrJ2o-BPHb8L_bNtGi0F0yf-M_hqLX_3pzhkDXMJab-zlw1NGZeU2dUsD4K0\/s1700-e365\/33.jpg\" alt=\"\" border=\"0\" data-original-height=\"505\" data-original-width=\"334\" style=\"display: block; height: auto; margin-left: auto; margin-right: auto; max-width: none; width: auto;\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Simplified Stage 2 graph (<a href=\"https:\/\/github.com\/Atos-TRC\/EtherRAT-appendixes?tab=readme-ov-file#stage-2--stage-3-decryption-launch--persistence\" rel=\"nofollow\" target=\"_blank\">link<\/a> to detailed)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><em>STAGE 3 &#8211; RAT<\/em><\/h4>\n<p>File: 0cZeeDPZMsxWtaK.cfg (encrypted) \/ 4S3HKjraAP.cfg (plaintext, ~9.8 KB)<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEid7aEFb7dFxIuZcVGkoRXeZbYJQYRTpTaRoYs8vP8_HEWEQu5yaUxHC9gH7tRt2xuXzHkpac2e-La0yzVfvgSjIGBucnuRrEX1UXqzP2NMRujnYtNdzR2zC5dgNRF8caAhOALiNVGBzWXb-O326cYWu9KHPgygyG4S1ksEmOEhJb94PNWQJuCI-5DDKjw\/s1700-e365\/24.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEid7aEFb7dFxIuZcVGkoRXeZbYJQYRTpTaRoYs8vP8_HEWEQu5yaUxHC9gH7tRt2xuXzHkpac2e-La0yzVfvgSjIGBucnuRrEX1UXqzP2NMRujnYtNdzR2zC5dgNRF8caAhOALiNVGBzWXb-O326cYWu9KHPgygyG4S1ksEmOEhJb94PNWQJuCI-5DDKjw\/s1700-e365\/24.png\" alt=\"\" border=\"0\" data-original-height=\"541\" data-original-width=\"1176\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 3 code screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjQ3mTsw3t2Q3v5GaAuklIHh4KPPl5a7qF0JGYnZNMmoi1rf3Ip6Zn81dlD5w0Mqu1U3MECTc4WQes_R55XUwRtIYDgVXJogCi6FPyHqtHhB7op6dYEPDuJiI4lv-XWX-qVtdmGlkrfN331qNdRNlI-5YQYXZ-nPAlj1G0kAiLDCWkaEoX3c-_fh1iTCtY\/s1700-e365\/25.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjQ3mTsw3t2Q3v5GaAuklIHh4KPPl5a7qF0JGYnZNMmoi1rf3Ip6Zn81dlD5w0Mqu1U3MECTc4WQes_R55XUwRtIYDgVXJogCi6FPyHqtHhB7op6dYEPDuJiI4lv-XWX-qVtdmGlkrfN331qNdRNlI-5YQYXZ-nPAlj1G0kAiLDCWkaEoX3c-_fh1iTCtY\/s1700-e365\/25.png\" alt=\"\" border=\"0\" data-original-height=\"570\" data-original-width=\"1185\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Stage 3 decrypted code screenshot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Stage 3 is the malware&#8217;s main payload &#8211; a JavaScript file that runs silently in the background on every system boot. It is written to disk under a randomly generated filename with a non-descriptive extension, making pattern-based file detection unreliable across different malware distributions. It runs inside conhost.exe, a legitimate Windows process, so it does not stand out in Task Manager. All strings inside the file &#8211; including server addresses and API names &#8211; are encrypted, making static analysis difficult.<\/p>\n<p>When executed, the RAT first assigns to the infected machine a persistent identity. It reads a unique bot ID from a hidden file on disk or generates a fresh one if the file does not yet exist and stores it for use in all future communication. It also computes a working directory path derived from the machine&#8217;s username and computer name, making that path unique on every victim system.<\/p>\n<p>RAT\u2019s next task is to find out where its command-and-control server is. Rather than hardcoding a server address directly, which could be blocked by defenders, the attacker stores the address inside an Ethereum smart contract on the blockchain. RAT queries nine public Ethereum API services in parallel and picks the answer that the majority return &#8211; this makes the lookup reliable even if some services are temporarily down. Because the address lives on the blockchain, it cannot be taken down by blocking a domain or an IP address; the attacker can update it at any time by sending a single transaction. Independent of everything else, a background timer re-runs this blockchain lookup every five minutes, so if the attacker publishes a new server address, the RAT switches to it automatically on its next contact attempt without needing to restart.<\/p>\n<p>Once the C2 address is known, the RAT enters a continuous polling loop, repeatedly beaconing to the server to check for new commands. Each request is constructed to resemble an ordinary browser fetch for a static web asset \u2014 the URL path contains random hex segments, a randomly chosen common file extension (.png, .jpg, .gif, .css, .ico, or .webp), and a randomly selected query parameter name. While every beacon looks different to a network observer, each one also silently carries the bot&#8217;s unique ID and a campaign identifier baked into the build, allowing the attacker&#8217;s server to recognize and track each victim individually. RAT also sends its own source code to the server and receives back a freshly obfuscated replacement, which it writes over itself on disk, effectively re-encrypting itself once every execution, whether it was from \u201c.msi\u201d or a persistent Run registry key. Commands from the attacker arrive as JavaScript code and are executed directly inside the running Node.js process, giving the attacker full access to the file system, the ability to run any OS command, and the ability to exfiltrate data &#8211; all without ever dropping a traditional executable to disk.\u00bb<\/p>\n<p>Every action that the malware makes, like startup, blockchain resolution, re-obfuscation, every poll request, task receipt, task execution, errors, URL updates are being written to %APPDATA%\\\\svchost.log, keeping a complete operational trace of everything the RAT does.<\/p>\n<p>For all samples analyzed, the same 9 endpoints were queried to obtain the C2 address from the contract.\u00a0<\/p>\n<p>The earlier versions of this malware had a lower number of stages used from the moment of execution until the C2 communications and followed the same file extension pattern: .msi -&gt; .cmd -&gt; .js -&gt; obfuscated file with no clear extension. Additionally, the oldest sample Atos Researcher was able to find had fallback C2 IP hardcoded inside the RAT logic to use when the smart contract was unresponsive. This C2 IP was the same as the first value set for the smart contract from this oldest sample (hxxp[:\/\/]135[.]125[.]255[.]55).<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhz0x3OHl9sEb7Z48I_zp9jsLuTRgpGFV3rDfMcbuGP51z-0BHWQXWTFthnd255qQ-dqUKJrPC07hb3WyvH6MO4B_vH5XOOZQZjigbUydsKWGB_9tl1R2WDzX5HJwwFAveYJ_HCbG0zFNqX-CN-k55nhm2ORl6xmdggj3deQppYRny89L9yNoOFc1P2lgA\/s1700-e365\/44.jpg\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhz0x3OHl9sEb7Z48I_zp9jsLuTRgpGFV3rDfMcbuGP51z-0BHWQXWTFthnd255qQ-dqUKJrPC07hb3WyvH6MO4B_vH5XOOZQZjigbUydsKWGB_9tl1R2WDzX5HJwwFAveYJ_HCbG0zFNqX-CN-k55nhm2ORl6xmdggj3deQppYRny89L9yNoOFc1P2lgA\/s1700-e365\/44.jpg\" alt=\"\" border=\"0\" data-original-height=\"827\" data-original-width=\"802\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Simplified Stage 3 graph (<a href=\"https:\/\/github.com\/Atos-TRC\/EtherRAT-appendixes?tab=readme-ov-file#stage-3--rat-c2-resolution--polling-loop\" rel=\"nofollow\" target=\"_blank\">link<\/a>\u00a0to detailed)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Decentralized C2 Infrastructure<\/h3>\n<p>The campaign implements a decentralized C2 model that does not rely on fixed domains or attacker-controlled servers. Instead, the malware retrieves its C2 address from the Ethereum blockchain. Each sample contains the address of a specific Ethereum <strong>smart contract<\/strong>, which is queried periodically via multiple public Ethereum RPC services. In this context, a smart contract is a small piece of program logic stored on the blockchain that can hold data and return it on request in a consistent and verifiable way. This design enables centralized C2 changes without modifying or redeploying the malware, increasing resilience against takedown and blocklisting efforts.<\/p>\n<p>For the purpose of this explanation, we used one of the contracts used by attackers (<em>0xc12c8d8f9706244eca0acf04e880f10ff4e52522)<\/em> and the wallet that funded it (<em>0x37ef6e88425613564b2cf8adc496acff4b6481a9).<\/em><\/p>\n<p>The smart contract used for C2 resolution is implemented as an on\u2011chain coordination mechanism and shows clear signs of operational use during its lifetime. Its blockchain record exposes a defined contract address, a fixed creation timestamp, and a sequence of transactions submitted over time. The observed activity indicates that the contract instance is actively used as part of a broader and persistent C2 resolution architecture, even though individual smart contracts may be replaced or rotated as the campaign evolves.\u00a0<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCTSu4yNl2mD03obrPSCEyH0qO5pQ9yKpFj4wXJeTBmh53WN1hnlVthWdwrquf-FgK-oXuUzAXfWBrNXjp7gZl4Mx_jOsvO_oHHkKJDeejn0K3nFGH9YS4debxsA1nQLB3zXyZhqj4o0Sn7E1gB39zvNVs_TNsu0BFFJvq5sv7_BxbaKhNUy5QBucNfH0\/s1700-e365\/27.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCTSu4yNl2mD03obrPSCEyH0qO5pQ9yKpFj4wXJeTBmh53WN1hnlVthWdwrquf-FgK-oXuUzAXfWBrNXjp7gZl4Mx_jOsvO_oHHkKJDeejn0K3nFGH9YS4debxsA1nQLB3zXyZhqj4o0Sn7E1gB39zvNVs_TNsu0BFFJvq5sv7_BxbaKhNUy5QBucNfH0\/s1700-e365\/27.png\" alt=\"\" border=\"0\" data-original-height=\"772\" data-original-width=\"1732\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Etherscan contract overview page<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The contract can be directly associated with the Ethereum wallet that deployed it. Review of the wallet\u2019s activity shows repeated interactions with the same contract during its operational period, demonstrating that control over C2 resolution is exercised through blockchain transactions. This confirms that changes to C2 distribution are performed independently of the malware already deployed on compromised systems.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEibYNSBjiSlLwmGzT9fqyc44KGcr9ycbH8pE0Nyznn_2NLWKuOdX-1LyaQCNlqsZKmmvHz41TrKRsJ3CU0P_2hIiqol0RvMNNoHs5EjIzEg_9kIjbfmt2SHlo5SNXbq8bFm7UZHfd6zRVXmS-yKbc6Xrgy7JT7PPMZiSnqK_bD05_Q-_7b7_Ilk8GzrkVc\/s1700-e365\/28.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEibYNSBjiSlLwmGzT9fqyc44KGcr9ycbH8pE0Nyznn_2NLWKuOdX-1LyaQCNlqsZKmmvHz41TrKRsJ3CU0P_2hIiqol0RvMNNoHs5EjIzEg_9kIjbfmt2SHlo5SNXbq8bFm7UZHfd6zRVXmS-yKbc6Xrgy7JT7PPMZiSnqK_bD05_Q-_7b7_Ilk8GzrkVc\/s1700-e365\/28.png\" alt=\"\" border=\"0\" data-original-height=\"793\" data-original-width=\"1721\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Etherscan wallet page<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Analysis of the contract\u2019s transaction history reveals multiple state-changing calls used to update values stored on-chain. Each of these updates corresponds to a change in the C2 address retrieved by the malware during its regular resolution cycle. As a result, infected systems automatically redirect to the new backend infrastructure without requiring any additional payload delivery or local configuration changes.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgGFK0Wsj1_0lR9vpIkFGQ7DOeQ8GQcEELNEefHXwWzEk25bafpWl5wJkOP8E8VE75l5xYx3VSD0gqHDVZWbinRrNW6Cddcoby1sTgDQlauoqdzo-MW3xXnL8DY1VYcFyU1DTFxWLP9dNfUrGaIVikU66LD23x8HbgB1NwcYSTULDUDFT9jjp6NktlVHpE\/s1700-e365\/28.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgGFK0Wsj1_0lR9vpIkFGQ7DOeQ8GQcEELNEefHXwWzEk25bafpWl5wJkOP8E8VE75l5xYx3VSD0gqHDVZWbinRrNW6Cddcoby1sTgDQlauoqdzo-MW3xXnL8DY1VYcFyU1DTFxWLP9dNfUrGaIVikU66LD23x8HbgB1NwcYSTULDUDFT9jjp6NktlVHpE\/s1700-e365\/28.png\" alt=\"\" border=\"0\" data-original-height=\"793\" data-original-width=\"1721\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Etherscan contract transaction list highlighting repeated state\u2011changing calls (Set String)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>At the transaction level, a single state-changing operation is sufficient to redirect all active infections. Detailed inspection shows that one blockchain write operation, submitted from the operator\u2019s wallet, modifies the contract state and is immediately reflected in subsequent C2 resolution attempts by the malware. This replaces traditional infrastructure management steps -such as domain registration, DNS updates, or server redeployment -with a single on-chain transaction.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnrzlSgVp_lnCYsQyT1ku0FUTMX4ebXseDoIex_e9r8cZEb7scoPFxFHL14b5eTOXRvx8e_7RgR2gCrrj0H0sepORk2erYUVyx-yW5Juo2FlizzmyBk3xM3dfCWjDovpPtG9nNRaWqHrOBkusF0g_8MnZXoCjTOyBt5SLoPnX3eqkv_5TT_jDTkYYk5tM\/s1700-e365\/29.png\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnrzlSgVp_lnCYsQyT1ku0FUTMX4ebXseDoIex_e9r8cZEb7scoPFxFHL14b5eTOXRvx8e_7RgR2gCrrj0H0sepORk2erYUVyx-yW5Juo2FlizzmyBk3xM3dfCWjDovpPtG9nNRaWqHrOBkusF0g_8MnZXoCjTOyBt5SLoPnX3eqkv_5TT_jDTkYYk5tM\/s1700-e365\/29.png\" alt=\"\" border=\"0\" data-original-height=\"698\" data-original-width=\"975\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Detailed Etherscan view of a single state\u2011changing transaction, including timestamp, sender, and input data<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>By anchoring C2 resolution to blockchain state and resolving it through widely available public Ethereum services, the campaign moves a critical dependency of its control infrastructure onto a decentralized network designed for high availability. This substantially limits the effectiveness of conventional disruption techniques based on domain seizure, IP blocking, or server takedown, and contributes to the operation\u2019s overall resilience and longevity.<\/p>\n<p>Full list of found malicious domains as well as wallets and contracts to distribute them is available for download and review at the <a href=\"https:\/\/github.com\/Atos-TRC\/EtherRAT-appendixes\/tree\/main\">TRC GitHub repository<\/a>.<\/p>\n<h2>Conclusions<\/h2>\n<p>As of the day of writing this article, the Administrative Utility Spoofing <strong>campaign remains a highly active<\/strong> and technically resilient threat to enterprise environments. Our research confirms that this is <strong>not merely an opportunistic malware<\/strong> cluster, but a more sophisticated operation designed for specific victim profiling. By impersonating the specialized utilities required for infrastructure management, the adversary has \u201cautomated\u201d the discovery of high-privilege IT personnel, increasing the probability that <strong>successful infections provide immediate pathways for lateral movement<\/strong> into the corporate environment.<\/p>\n<p>The campaign\u2019s <strong>operational longevity<\/strong> is rooted in two strategic factors: the <strong>dual-stage GitHub distribution<\/strong> architecture and the integration of <strong>decentralized blockchain-based C2 resolution<\/strong>. The use of SEO-optimized \u00abfacade\u00bb repositories allows the threat actors to maintain front-page visibility on search engines while isolating their malicious payloads on secondary accounts that can be rapidly rotated. Furthermore, the EtherHiding module\u2019s reliance on Ethereum smart contracts creates an infrastructure that is particularly difficult to dismantle.<\/p>\n<p>Malware analysis of the MSI payload distributed across this campaign identifies it as an <strong>EtherRAT<\/strong>, a modular Node.js backdoor distinguished by its high-resilience \u00ab<strong>EtherHiding<\/strong>\u00bb C2 module. The <a href=\"https:\/\/www.sysdig.com\/blog\/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\">Sysdig Threat Research Team<\/a> has previously <strong>linked this malware to the North Korean<\/strong> state-sponsored actor &#8211;<strong> Lazarus Group<\/strong>. They noticed significant overlaps in the tooling utilized during operations conducted with the usage of EtherRAT and the \u201c<a href=\"https:\/\/socket.dev\/blog\/north-korea-contagious-interview-campaign-338-malicious-npm-packages\">Contagious Interview<\/a>\u201d campaign.<\/p>\n<p>Furthermore, in March 2026, <a href=\"https:\/\/www.sysdig.com\/blog\/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks\">eSentire&#8217;s Threat Response Unit (TRU)<\/a> investigated an open-directory web server attributed to <strong>Iranian state-sponsored group MuddyWater<\/strong> (APT34). During the engagement, TRU found on that server a malicious file with functionality to establish persistence and deploy the Tsundere botnet malware, which also integrates the \u201cEtherHiding\u201d C2 resolution logic. Their analysis documented extensive code <a href=\"https:\/\/www.esentire.com\/blog\/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons\">commonalities between EtherRAT and the Tsundere malware<\/a>.<\/p>\n<p>Active Atos TRC monitoring confirms that this operation is not yet another high-velocity stealer campaign. While commodity malware often prioritizes immediate data exfiltration, <strong>these actors demonstrate a focus on operational patience and stealth<\/strong>. Following the initial breach, we have documented a transition to methodical hands-on-keyboard activities characterized by a deliberate approach to environmental discovery.<\/p>\n<p>The adversary avoids aggressive, high-volume scanning that might trigger behavioural alerts, opting instead for <strong>quiet discovery to map the network\u2019s high-privilege architecture<\/strong>. This measured pace indicates that the primary objective is sustained persistence and strategic access rather than a simple opportunistic extraction. By <strong>carefully profiling the environment before escalating their activity<\/strong>, the threat actors significantly increase their chances of remaining undetected within enterprise networks.<\/p>\n<p>In alignment with our commitment to proactive defense, the <strong>Atos Threat Research Center has initiated formal takedown actions<\/strong> against the identified malicious scheme in order to neutralize distribution channels and disrupt the campaign&#8217;s operational resilience.<\/p>\n<h2>Recommendation<\/h2>\n<p>To mitigate the risks associated with the <strong>Administrative Utility Spoofing<\/strong> campaign, organizations should implement the following defensive measures:<\/p>\n<ul>\n<li><strong>Restrict Decentralized Infrastructure Access:<\/strong> block access to the public Ethereum (ETH) RPC endpoints used by EtherRAT, attached in the Appendixes&#8217; section. These gateways are the primary heartbeat for the decentralized C2 resolution mechanism.<\/li>\n<li><strong>Retrospective Communication Review:<\/strong> review of historical logs to identify any outbound communications with the listed RPC ETH endpoints and identified historical C2 domains identified in this research.<\/li>\n<li><strong>Tool Provenance &amp; Administrative Awareness:<\/strong> increase awareness among IT personnel regarding using verified internal software centers or direct, authenticated vendor portals for all administrative tools. It is important to educate administrators on the potential risks of sourcing critical utilities from search engine results.<\/li>\n<li><strong>Behavioural Threat Hunting<\/strong>: following behavioural patterns should be reviewed in the given for organization telemetry:<\/li>\n<li>repeated, high-frequency beacons (every 500ms) to suspicious external domains<\/li>\n<li>periodic outbound requests (every 30000ms or 5 minutes) to public ETH RPC endpoints<\/li>\n<li>suspicious process tree: node.exe processes executing shell commands, which may indicate the secondary stages of the EtherRAT payload<\/li>\n<li>usage of <em>conhost.exe<\/em> with the <em>&#8211;headless<\/em> argument, a common artifact of the malware&#8217;s attempts to maintain a silent background presence.<\/li>\n<\/ul>\n<h2>Appendixes<\/h2>\n<p>A complete list of Indicators of Compromise (IoCs), mapped TTPs, and detailed malware relationship graphs for this campaign are available for download and review at the <a href=\"https:\/\/github.com\/Atos-TRC\/EtherRAT-appendixes\/tree\/main\">TRC GitHub repository<\/a>.<\/p>\n<blockquote><p><em>Find out the latest threat intelligence and adversary research insights on <a href=\"https:\/\/atos.net\/en\/lp\/cybershield\">Atos Cyber Shield Blogs.<\/a><\/em><\/p><\/blockquote>\n<div class=\"cf note-b\">Found this article interesting? <span class=\"\">This article is a contributed piece from one of our valued partners.<\/span> Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ\" rel=\"noopener\" target=\"_blank\">Google News<\/a>, <a href=\"https:\/\/twitter.com\/thehackersnews\" rel=\"noopener\" target=\"_blank\">Twitter<\/a> and <a href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" rel=\"noopener\" target=\"_blank\">LinkedIn<\/a> to read more exclusive content we post.<\/div>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":770,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1484,1482,1481,1485,71,1483,261],"class_list":["post-769","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-administrative","tag-distribution","tag-etherrat","tag-facades","tag-github","tag-spoofing","tag-tools"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=769"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/769\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/770"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}